What about HTTP SSL Client Certificates; i.e. what if a "browser" (attacker) simply includes a bad SSL Client Certificate in a request?