The take away is that when this passes, we should distrust all CA's and verify certificates on important servers another way.

BTW, this attack was already used against a Russian xmpp server at Hetzner. The trust model is fundamentally broken