If an error occurs in the validation (missing `certificate-*.pem` files,
fingerprint changed, etc.) it's logged by the proxy (stdout) and the special
-`proxy-invalid.pem` certificate is used. It's easy to spot in the browser
-because it uses an invalid hostname ("invalid") and is self-signed.
+`proxy-invalid.pem` certificate is used to send a 500 error message to the
+client. The connection to the server is closed so there's no chance that any
+client data is sent to the (possible) evil server. The invalide certificate is
+also easy to spot in the browser because it uses an invalid hostname
+("invalid") and is self-signed.
If an internal error occurs before the TLS connection can be established a 503
Forwarding failure is sent to the client (unencrypted).