anonymous
Look at duckco on twitter, which has a link to the new sha1 fingerprint. For me it matched. I'm assuming that the twitter account is under duck.co control, since it's linked at the bottom of this page.
posted by <hidden> • 3 years and 2 months ago Link

anonymous
Here http://t.co/egGDaLR4WR and
here https://xmpp.net/result.php?domain=dukgo...
Identity information.
Last link more complete. Contains information about who issued it.
posted by <hidden> • 3 years and 2 months ago Link
anonymous
Thanks. The first link appears to have the correct sha1sum for the new certificate. As noted, you can find the tweet for that in the Duckco twitter account (https://twitter.com/duckco), if you don't want to just follow a link from the thread here.

The second links just leads to a 404 error, however.

It's hard to believe there's not a better way to deal with verifying the certificate and that DuckDuckGo does so little to make that information easy to find. What's the point of encrypted communication, if people just have to randomly accept certificates with no obvious way to verify the validity? I imagine most people just hit the "accept" button and don't think about that they could be completely undermining their encryption.
posted by <hidden> • 3 years and 2 months ago Link