[wfn]

Wasn't downvoting for the questions, but started downvoting these comments of yours because of your attitude + expectation that OP will answer questions that have in various ways already been addressed if you read the article.

I believe it is bad form / in bad taste to arrogantly presume your questions and points about server trust (and etc.) are unique, not addressed, and create new challenges; without first reading the article which is the bare minimum required for this, IMHO.

Btw, depending on your threat model you may want to validate pubkeys / established session key / etc. using other side channels regardless of software, protocol and medium used.