Java: Revise qhelp

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp

@@ -15,11 +15,11 @@ An attack might look like this:
 <ol>
   <li>The program connects to <code>https://example.com</code>.</li>
   <li>The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.</li>
-  <li>The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.</li>
-  <li>Java checks whether the certificate has been issued for the host <code>example.com</code>. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: <code>malicious.domain</code>.</li>
-  <li>Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether a <code>HostnameVerifier</code> exists.</li>
+  <li>The <code>TrustManager</code> of the program verifies that the certificate has been issued by a trusted certificate authority.</li>
+  <li>The Java HTTPS library checks whether the certificate has been issued for the host <code>example.com</code>. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: <code>malicious.domain</code>.</li>
+  <li>The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a <code>HostnameVerifier</code> exists.</li>
   <li>Your <code>HostnameVerifier</code> is called which returns <code>true</code> for any certificate so also for this one.</li>
-  <li>Java proceeds with the connection since your <code>HostnameVerifier</code> accepted it.</li>
+  <li>The program proceeds with the connection since your <code>HostnameVerifier</code> accepted it.</li>
   <li>The attacker can now read the data your program sends to <code>https://example.com</code> 
 and/or alter its replies while the program thinks the connection is secure.</li>
 </ol>