I do still think this is an issue (though not one with a high likelihood of someone attacking), so for our application I won't be embedding a purchased certificate for 'mydevice.mydomain.com'. My recommendation would be that you guys remove the 'securedemo.wiced.broadcom.com' from the WICED SDK and have the certificate revoked. The main reason being to avoid implying to other developers that it's safe to do this with their embedded devices. I am not a security expert, however, so probably best to talk to the gurus within Broadcom first. If you do, I'd be very curious to see their opinions added to this discussion.