SSL fingerprint check for nodes.get-scatter.com (MITM attack prevention)

[jcalfee]

In the interest of preventing a man-in-the-middle attack from Let's Encrypt, could you please provide the fingerprint to your current SSL nodes.get-scatter.com certificate?

From your side:

$ openssl x509 -in '/etc/ssl/certs/YOUR_CERT.pem' -noout -sha256 -fingerprint
SHA256 Fingerprint=??:??:...

From my side, I see Let's Encrypt and 3E:BD:1F:8C:67:D1:74:B1:95:42:D0:59:6B:CB:67:20:0B:9E:A8:91:15:3C:B7:3E:C1:0A:74:92:D0:78:C9:62:

$ curl -vvI https://nodes.get-scatter.com 2>&1 |egrep issuer
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3

$ echo | openssl s_client -servername nodes.get-scatter.com -connect nodes.get-scatter.com:443 | openssl x509 -noout -sha256 -fingerprint
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = nodes.get-scatter.com
verify return:1
DONE
SHA256 Fingerprint=3E:BD:1F:8C:67:D1:74:B1:95:42:D0:59:6B:CB:67:20:0B:9E:A8:91:15:3C:B7:3E:C1:0A:74:92:D0:78:C9:62

I understand how troublesome SSL certificates are and why the free and automated Let's Encrypt service is so popular. It is so typical though that a dis-honest actor would setup up and provide a convenient free service that has alterer motives. In today's environment, that is often spying. The origin of signed crypto transactions are high value information because they imply that the broadcasting IP holds the private key. With that said, this rule of thumb tips me off: If it is free, your the product...

There is nothing stopping Let's Encrypt from issuing an almost identical duplicate certificate with your name on it to enable a man-in-the-middle attack. Except, that they can't fake your private and public key and therefore can't fake your fingerprint.

Even if it matches, it still would be a very good idea to start the practice of API end-points publishing a fingerprint on the blockchain. This would open the door to automate clients that could check this fingerprint. The Let's Encrypt script could be tweaked to publish the new fingerprint when it changes.

Let's Encrypt will certainly issue a new cert automatically when your certificate is about to expire. But will they do this more frequently than that? I'm not sure.. I can check for this though on my side and let you know if I see it change.

I have considered VPN or TOR or TOR over VPN. All are not perfect and require some setup. However, simply checking fingerprints can be seamless to the end-user and add a great deal of security. Ultimately I think all of the above and then some would be good.

Fingerprint checking should also flag any MITM attacks from any other CA including cloudflare. Also be aware of cloudflare's less-secure cloudflare configurations.