(because it doesn't know the fingerprint for https://www.example.org/, that's
how '-u' works) and you won't be aware that a different server certificate
might be used!
+
+If you always verify the authentication of the connection this isn't a
+problem, but if you only check if it's a HTTPS connection then this attack is
+possible.