Someone should really test it, real red team black hat style and then fully publish the results. Try to mitm https with real unlogged certs and see what happens. Preregister the whole fully detailed procedure on blockchain. And report to public results fully, with proofs of being caught.