That article is mixing up "is it safe to do that from us?" and "is it safe to do that?". Do it from another vendor that isn't using https and all their reassurances about the method evaporate. Simply put: the method is bad; it's only when you use a bunch of mitigating actions that it becomes 'not bad'.
