[griffinmb]

Sure, the "passive" was what I was calling out as incorrect. And as you noted, a compromised trusted CA affects all domains. Which is another thing this article gets explicitly wrong.

> If DigiCert’s Key Management System is compromised, all of their SSL certificates will have to be revoked and re-issued. But if one of the other CAs is compromised, it would not affect Medium’s site.

[LinuxBender]

Agreed. This is where folks must risk-rank their traffic contents and determine if HTTPS alone is enough, or if in some cases, encrypted payloads using other forms of encryption and trust are useful. i.e. gpg, psk, etc... Secure email is the first thing that comes to mind.