How to verify new security certificate for XMPP account?

<hidden> anonymous
Created: 3 years and 9 months ago • Updated: 3 years and 9 months ago
I'm using an duck.co XMPP account, with ChatSecure. Apparently a new security certificate was just issued by duck.co and ChatSecure keeps giving me a popup asking me if I want to accept the new security certificate. Is there a way to validate that it's legitimate? Do you post the shasums somewhere?

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


anonymous
yeah, i came here for the same reason
posted by <hidden> • 3 years and 9 months ago Link
anonymous
We have the same situation. Permanent window appears in ChatSecure. Connection to the server is not available. This fake certificate? Site's security certificate has changed? The proposed certificate from Comodo.
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Maybe it MiTM? The attacker attempts to replace the certificate of service?
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Here's a little information about the certificate. This is the real one?
Comodo provides server security certificate ???
---------------------------------------------------------------------------------------------------------------

Certificate details:
CN=duck.co, OU=Multi-Domain SSL, O=DuckDuckGo, STREET=20 Paoli Pike, L=Paoli, ST=Pennsylvania, OID.2.5.4.17=19460, C=US
2014-12-02 - 2015-12-04
SHA-256:
8c:99:78:ca:a3:4e:c3:86:9d:dd:f6:37:ea:32:92:2d:8d:77:83:9c:e5:28:c6:6e:f3:2c:85:88:66:d5:8c:3e
SHA-1:
........
Signed by: CN=COMODO RSA Organization Validation Secure Server CA, o=COMODO CA Limited, L=Salford, ST=Greater Manchester. C=GB

....
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Me too.
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Administrators are service here? Those who know the answers?
Can write in support?
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Look at duckco on twitter, which has a link to the new sha1 fingerprint. For me it matched. I'm assuming that the twitter account is under duck.co control, since it's linked at the bottom of this page.
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Here http://t.co/egGDaLR4WR and
here https://xmpp.net/result.php?domain=dukgo...
Identity information.
Last link more complete. Contains information about who issued it.
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Thanks. The first link appears to have the correct sha1sum for the new certificate. As noted, you can find the tweet for that in the Duckco twitter account (https://twitter.com/duckco), if you don't want to just follow a link from the thread here.

The second links just leads to a 404 error, however.

It's hard to believe there's not a better way to deal with verifying the certificate and that DuckDuckGo does so little to make that information easy to find. What's the point of encrypted communication, if people just have to randomly accept certificates with no obvious way to verify the validity? I imagine most people just hit the "accept" button and don't think about that they could be completely undermining their encryption.
posted by <hidden> • 3 years and 9 months ago Link
anonymous
Check the correctness of the data in the pop-up window in ChatSecure and data on this site: https://xmpp.net/result.php?domain=dukgo...
I have converged.
posted by <hidden> • 3 years and 9 months ago Link