-https://www.example.org/ (or https://whatever.org/) (for example through a
-link on a different site) then the proxy just forwards the TLS connection
-(because it doesn't know the fingerprint for https://www.example.org/, that's
-how '-u' works) and you won't be aware that a different server certificate
-might be used!
+https://www.example.org/ - leading .www - (or https://whatever.org/) (for
+example through a link on a different site) then the proxy just forwards the
+TLS connection (because it doesn't know the fingerprint for
+https://www.example.org/, that's how '-u' works) and you won't be aware that a
+different server certificate might be used!
+
+If you always verify the authentication of the connection this isn't a
+problem, but if you only check if it's a HTTPS connection then this attack is
+possible.
+
+
+KNOWN ISSUES
+------------
+
+- Firefox (at least Iceweasel 3.5.16 on Debian) fails to load the error page
+ sent with the "invalid" certificate once the certificate has been accepted.
+ As the user shouldn't accept the invalid certificate this is a minor issue.