I'll also echo what many have said - WSE and SPI Firewalls (Stateful Packet Inspection is the prerequisite of NAT is what actually protects you) have been the only thing I've been using for years.
I suspected it was last straw. She was looking for an excuse.
That said, however, lawyers in good standing enjoy a legal privilege of being able to discuss matters with clients in confidence and be able to withhold those discussion from the government. If you can't communicate privately the privilege is eviscerated.
Perhaps she wasn't so much worried about herself than the confidential sources she used?
For example: Hong Kong Post Root; DoD Root CA 2; Federal Common Policy CA; Staat der Nederlanden Root CA - Any of these CA can mint a certificate for ANY website.
Keep in mind that any sufficiently powerful nation is better served sending lawyers rather than hackers. Step One: All it takes is to send a court ordered warrant with gag-order to get the private key for "Go Daddy Root Certificate Authority - G2". Step Two: Mint certificates
We should do two things. 1) Browsers should also start displaying the root CA. If I go to Google and I know it's Google because "Autoridad de Certificacion Raiz del Estado Venezolano" says so, I'd be suspicious. 2) Fix the all or nothing problem. Somehow limit the domain scope of a CA. "Google Internet Authority G2" mints certificates for Google.Com. What's to keep them from minting one for MyBank.com?