diff --git a/config.c b/config.c
index 3885c7be..8cdeee24 100644
--- a/config.c
+++ b/config.c
@@ -569,8 +569,7 @@ static void kexlist_handler(dlgcontrol *ctrl, dlgparam *dlg,
             { "Diffie-Hellman group exchange",      KEX_DHGEX },
             { "RSA-based key exchange",             KEX_RSA },
             { "ECDH key exchange",                  KEX_ECDH },
-            { "NTRU Prime / Curve25519 hybrid kex"
-              " (quantum-resistant)",               KEX_NTRU_HYBRID },
+            { "NTRU Prime / Curve25519 hybrid kex", KEX_NTRU_HYBRID },
             { "-- warn below here --",              KEX_WARN }
         };
 
diff --git a/doc/config.but b/doc/config.but
index 32973ed7..21ff0bb5 100644
--- a/doc/config.but
+++ b/doc/config.but
@@ -2347,17 +2347,17 @@ cipher selection (see \k{config-ssh-encryption}).
 
 PuTTY currently supports the following key exchange methods:
 
-\b \q{NTRU Prime / Curve25519 hybrid}: NTRU Prime is a lattice-based
-algorithm intended to resist quantum attacks. In this key exchange
-method, it is run in parallel with a conventional Curve25519-based
-method (one of those included in \q{ECDH}), in such a way that it
-should be no \e{less} secure than that commonly-used method, and
-hopefully also resistant to a new class of attacks.
+\b \q{NTRU Prime / Curve25519 hybrid}: \q{\i{Streamlined NTRU Prime}}
+is a lattice-based algorithm intended to resist \i{quantum attacks}.
+In this key exchange method, it is run in parallel with a conventional
+Curve25519-based method (one of those included in \q{ECDH}), in such
+a way that it should be no \e{less} secure than that commonly-used
+method, and hopefully also resistant to a new class of attacks.
 
-\b \q{ECDH}: \i{elliptic curve} \i{Diffie-Hellman key exchange},
+\b \q{\i{ECDH}}: elliptic curve Diffie-Hellman key exchange,
 with a variety of standard curves and hash algorithms.
 
-\b The original form of \q{Diffie-Hellman} key exchange, with a
+\b The original form of \i{Diffie-Hellman key exchange}, with a
 variety of well-known groups and hashes:
 
 \lcont{
diff --git a/doc/errors.but b/doc/errors.but
index cea3201c..a35a7256 100644
--- a/doc/errors.but
+++ b/doc/errors.but
@@ -39,6 +39,9 @@ the one PuTTY has cached for this server}, means that PuTTY has
 connected to the SSH server before, knows what its host key
 \e{should} be, but has found a different one.
 
+(If the message instead talks about a \q{certified host key}, see
+instead \k{errors-cert-mismatch}.)
+
 This may mean that a malicious attacker has replaced your server
 with a different one, or has redirected your network connection to
 their own machine. On the other hand, it may simply mean that the
@@ -60,7 +63,8 @@ If you've configured PuTTY to trust at least one
 \k{config-ssh-kex-cert}), then it will ask the SSH server to send it
 any available certified host keys. If the server sends back a
 certified key signed by a \e{different} certification authority, PuTTY
-will present this variant of the host key prompt.
+will present this variant of the host key prompt, preceded by
+\q{WARNING - POTENTIAL SECURITY BREACH!}
 
 One reason why this can happen is a deliberate attack. Just like an
 ordinary man-in-the-middle attack which substitutes a wrong host key,
@@ -74,16 +78,17 @@ configuration, or if your CA configuration involves two overlapping
 domains, or something similar.
 
 So, unfortunately, you'll have to work out what to do about it
-yourself: install a new CA key (if you're really sure you trust it),
-or edit your configuration in some other way, or abandon the
-connection.
+yourself: make an exception for this specific case, or abandon this
+connection and install a new CA key before trying again (if you're
+really sure you trust the CA), or edit your configuration in some
+other way, or just stop trying to use this server.
 
 If you're convinced that this particular server is legitimate even
 though the CA is not one you trust, PuTTY will let you cache the
-certified host key in the same way as an uncertified one. Then that
-particular certificate will be accepted on the next connection, even
-though other certificates signed by the same CA will still be
-rejected.
+certified host key, treating it in the same way as an uncertified one.
+Then that particular certificate will be accepted for future
+connections to this specific server, even though other certificates
+signed by the same CA will still be rejected.
 
 \H{errors-ssh-protocol} \q{SSH protocol version 2 required by our
 configuration but remote only provides (old, insecure) SSH-1}
diff --git a/doc/gs.but b/doc/gs.but
index 4eff8967..8b915dbf 100644
--- a/doc/gs.but
+++ b/doc/gs.but
@@ -80,10 +80,10 @@ PuTTY \I{host key cache}records the host key for each server you
 connect to, in the Windows \i{Registry}. Every time you connect to a
 server, it checks that the host key presented by the server is the
 same host key as it was the last time you connected. If it is not,
-you will see a warning, and you will have the chance to abandon your
-connection before you type any private information (such as a
-password) into it. (See \k{errors-hostkey-wrong} for what that looks
-like.)
+you will see a stronger warning, and you will have the chance to
+abandon your connection before you type any private information (such
+as a password) into it. (See \k{errors-hostkey-wrong} for what that
+looks like.)
 
 However, when you connect to a server you have not connected to
 before, PuTTY has no way of telling whether the host key is the
diff --git a/doc/index.but b/doc/index.but
index ac1a317d..187f5a1e 100644
--- a/doc/index.but
+++ b/doc/index.but
@@ -688,6 +688,16 @@ saved sessions from
 \IM{group exchange} Diffie-Hellman group exchange
 \IM{group exchange} group exchange, Diffie-Hellman
 
+\IM{ECDH} \q{ECDH} (elliptic-curve Diffie-Hellman)
+\IM{ECDH} elliptic-curve Diffie-Hellman key exchange
+\IM{ECDH} key exchange, elliptic-curve Diffie-Hellman
+\IM{ECDH} Diffie-Hellman key exchange, with elliptic curves
+
+\IM{Streamlined NTRU Prime} Streamlined NTRU Prime
+\IM{Streamlined NTRU Prime} NTRU Prime
+
+\IM{quantum attacks} quantum attacks, resistance to
+
 \IM{repeat key exchange} repeat key exchange
 \IM{repeat key exchange} key exchange, repeat
 
diff --git a/unix/dialog.c b/unix/dialog.c
index c73cdaa3..1e45458a 100644
--- a/unix/dialog.c
+++ b/unix/dialog.c
@@ -3681,6 +3681,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
             /* We have to manually wrap the public key, or else the GtkLabel
              * will resize itself to accommodate the longest word, which will
              * lead to a hilariously wide message box. */
+            put_byte(moreinfo, ':');
             for (const char *p = item->text, *q = p + strlen(p); p < q ;) {
                 size_t linelen = q-p;
                 if (linelen > 72)
@@ -3689,6 +3690,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
                 put_data(moreinfo, p, linelen);
                 p += linelen;
             }
+            put_byte(moreinfo, '\n');
             break;
           default:
             break;