Update https.md

Author: mkagenius

https.md

@@ -71,7 +71,7 @@ To solve that problem browser like Chrome, Firefox, Safari etc. come embedded wi
 
 ## Certificate Pinning for apps (and website)
 #### What's this now?
-In general any user who has an access to the app can see all the API calls even if it HTTPS. To do that he creates a certificate authority and tells the device (Android / iOS) to trust it. Now when you connect to the server it replaces your server's certificate with the one generated `on the fly` with its certificate (own public/private `key` pair) signed by his own certificate authority and now he can sit in the middle and act as server for the mobile client and act as client for the server. Sneaky.
+In general any user who has an access to the app can see all the API calls even if it HTTPS. To do that he creates a certificate authority and tells the device (Android / iOS) to trust it. Now when you connect to the server it sits in between the server and the app and replaces your server's certificate with the one generated `on the fly` with its certificate (having own public/private `key` pair) signed by his own certificate authority and now he can sit in the middle and act as server for the mobile client and act as client for the server. Sneaky.
 
 #### Wait! Isn't HTTPS supposed to prevent that?
 Yes, but HTTPS can only help you when the trusted certificate authorities are actually trust worthy. In this case, the user forced the device to trust his own created certificate authority! 
@@ -91,8 +91,8 @@ Certificate pinning is a good way to prevent this but there is one better way to
 https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-applications/
 ```
 
-### Precautions for general public
+## Precautions for general public
 #TODO
 
-### Future of HTTPS
+## Future of HTTPS
 #TODO