4d2 dot org Security Status

About this application - click to show

The problem: We've recently seen privacy-oriented services come under attack in several ways, from legislative saber-rattling like the EU's Chat Control initiative to an extremely concerning Man-in-the-Middle TLS attack where major hosting companies likely cooperated with law enforcement to violate the privacy of jabber.ru users.

In the jabber.ru attack, hosting companies used their privileged network position to obtain phony TLS certificates for jabber.ru services. These were then secretly used to create an intermediate termination point for secure traffic. Users and site admins saw that connections were encrypted, but communication was presumably being decrypted and funneled elsewhere. This continued for months before it was noticed.

How we're defending ourselves: We already take industry standard precautions such as publishing restrictive CAA records. On this page we try to close some remaining gaps by testing the validity of our own certificates using as many mutually uncooperative parties as possible. This doesn't do anything to prevent an attack, but it makes it as difficult as possible for a MitM attack against us to go unnoticed. Here's how it works:

This site uses a domain name registered in a different TLD from our other domains (.su), and runs on a different machine hosted with a different provider than our most popular services.
Every few minutes, the servers hosting our public services (email, Matrix, CryptPad, etc.) export the SHA-256 fingerprint and validity dates of all their TLS certificates. This data comes from the local copies of these certificates on each application server. These fingerprints and validity dates are pushed to this machine via SSH with key-based authentication.
Every few minutes, a client machine that we control makes a TLS client connection to each of our applications that supports TLS, and logs the SHA-256 fingerprint and validity date it receives from the server. The results are then sent to this machine using SSH.
This app compares the data received by these two mechanisms. If certificate fingerprints or validity dates don't match, we flag that entry as "suspicious" on this page.
Each exchange of certificate information between servers also exchanges a randomly-generated UUID. The UUIDs received by this machine are displayed here, and the UUIDs sent by each remote machine are linked directly from those machines for you to compare. An attacker who compromised this app to display fake data would have to compromise all our machines for the UUIDs to match.

This is not absolute protection from an impersonation attack, or anything close. It just tries to make such an attack as inconvenient, expensive and obvious as possible.

Install our Proof of Security Client for automated monitoring from a machine you trust.

Service Name	Local Fingerprint	Fingerprint to Client	Local Expiry	Expiry to Client	LE Account ID	Trust?
4d2.link	88:1A:4C:FA:F5:08:B4:0346:41:22:EF:A4:E0:07:73:0C:01:CE:B1:A0:14:16:72:08:50:3F:93:5B:53:10:55:88:1A:4C:FA:F5:08:B4:03	88:1A:4C:FA:F5:08:B4:0346:41:22:EF:A4:E0:07:73:0C:01:CE:B1:A0:14:16:72:08:50:3F:93:5B:53:10:55:88:1A:4C:FA:F5:08:B4:03	Dec 19 21:25:01 2025Sep 20 21:25:02 2025 - Dec 19 21:25:01 2025	Dec 19 21:25:01 2025Sep 20 21:25:02 2025 - Dec 19 21:25:01 2025	76782206https://acme-v02.api.letsencrypt.org/acme/acct/76782206	OK
4d2.org	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	76782206https://acme-v02.api.letsencrypt.org/acme/acct/76782206	OK
4d2.social	E6:E7:42:55:7B:D1:04:8C5F:7A:2F:93:C5:63:EB:13:EB:52:5D:5B:9F:4D:C9:FF:D9:59:FF:DF:D0:E7:2C:AD:E6:E7:42:55:7B:D1:04:8C	E6:E7:42:55:7B:D1:04:8C5F:7A:2F:93:C5:63:EB:13:EB:52:5D:5B:9F:4D:C9:FF:D9:59:FF:DF:D0:E7:2C:AD:E6:E7:42:55:7B:D1:04:8C	Nov 10 06:08:13 2025Aug 12 06:08:14 2025 - Nov 10 06:08:13 2025	Nov 10 06:08:13 2025Aug 12 06:08:14 2025 - Nov 10 06:08:13 2025	1801268617https://acme-v02.api.letsencrypt.org/acme/acct/1801268617	OK
4d2.su	59:31:D6:9F:19:91:00:2A86:4C:92:5C:8B:12:67:7B:28:66:83:40:D5:B1:24:EA:76:A3:91:83:BC:A1:2A:94:59:31:D6:9F:19:91:00:2A	Verify this manuallyCheck cert details in your browser - Verify this SHA-256 fingerprint manually	Dec 30 12:46:49 2025Oct 1 12:46:50 2025 - Dec 30 12:46:49 2025	Verify this manuallyCheck cert details in your browser - Verify this manually	2014851357https://acme-v02.api.letsencrypt.org/acme/acct/2014851357	ImplicitThis server can't attest for itself
bayard.4d2.org	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	76782206https://acme-v02.api.letsencrypt.org/acme/acct/76782206	OK
bbs.4d2.org	99:8E:5E:3C:90:8F:9D:92B2:16:EF:CA:C2:5E:6D:92:48:3A:56:12:D1:0B:05:28:28:90:1F:51:3E:14:ED:CA:99:8E:5E:3C:90:8F:9D:92	99:8E:5E:3C:90:8F:9D:92B2:16:EF:CA:C2:5E:6D:92:48:3A:56:12:D1:0B:05:28:28:90:1F:51:3E:14:ED:CA:99:8E:5E:3C:90:8F:9D:92	Dec 23 22:17:14 2025Sep 24 22:17:15 2025 - Dec 23 22:17:14 2025	Dec 23 22:17:14 2025Sep 24 22:17:15 2025 - Dec 23 22:17:14 2025	2077936547https://acme-v02.api.letsencrypt.org/acme/acct/2077936547	OK
cinny.4d2.org	85:DD:5C:6D:CF:87:E7:F3D5:42:69:E1:3F:FB:3D:4F:4B:33:77:39:BB:1D:0C:23:3B:8E:F2:4F:3E:A0:67:9B:85:DD:5C:6D:CF:87:E7:F3	85:DD:5C:6D:CF:87:E7:F3D5:42:69:E1:3F:FB:3D:4F:4B:33:77:39:BB:1D:0C:23:3B:8E:F2:4F:3E:A0:67:9B:85:DD:5C:6D:CF:87:E7:F3	Dec 20 21:35:49 2025Sep 21 21:35:50 2025 - Dec 20 21:35:49 2025	Dec 20 21:35:49 2025Sep 21 21:35:50 2025 - Dec 20 21:35:49 2025	1434949786https://acme-v02.api.letsencrypt.org/acme/acct/1434949786	OK
depot.4d2.org	BC:F9:51:65:A9:2A:6C:300B:35:96:21:69:0A:A3:56:DA:BD:27:F6:C9:28:8C:21:C1:04:B8:1D:9C:32:51:BC:BC:F9:51:65:A9:2A:6C:30	BC:F9:51:65:A9:2A:6C:300B:35:96:21:69:0A:A3:56:DA:BD:27:F6:C9:28:8C:21:C1:04:B8:1D:9C:32:51:BC:BC:F9:51:65:A9:2A:6C:30	Nov 10 06:07:48 2025Aug 12 06:07:49 2025 - Nov 10 06:07:48 2025	Nov 10 06:07:48 2025Aug 12 06:07:49 2025 - Nov 10 06:07:48 2025	1914608496https://acme-v02.api.letsencrypt.org/acme/acct/1914608496	OK
element.4d2.org	70:49:36:08:14:77:44:6063:48:F0:DE:AB:78:F9:F9:4E:13:43:46:52:99:7C:F4:36:80:42:44:44:0C:A4:83:70:49:36:08:14:77:44:60	70:49:36:08:14:77:44:6063:48:F0:DE:AB:78:F9:F9:4E:13:43:46:52:99:7C:F4:36:80:42:44:44:0C:A4:83:70:49:36:08:14:77:44:60	Dec 21 21:35:28 2025Sep 22 21:35:29 2025 - Dec 21 21:35:28 2025	Dec 21 21:35:28 2025Sep 22 21:35:29 2025 - Dec 21 21:35:28 2025	1434949786https://acme-v02.api.letsencrypt.org/acme/acct/1434949786	OK
jitsi.4d2.org	38:D5:C8:D3:B4:64:A3:F5AC:45:B0:31:2D:94:DB:EE:9F:29:E5:45:1A:37:87:EE:87:14:F4:A5:5F:7B:21:D0:38:D5:C8:D3:B4:64:A3:F5	38:D5:C8:D3:B4:64:A3:F5AC:45:B0:31:2D:94:DB:EE:9F:29:E5:45:1A:37:87:EE:87:14:F4:A5:5F:7B:21:D0:38:D5:C8:D3:B4:64:A3:F5	Dec 20 21:35:29 2025Sep 21 21:35:30 2025 - Dec 20 21:35:29 2025	Dec 20 21:35:29 2025Sep 21 21:35:30 2025 - Dec 20 21:35:29 2025	1434949786https://acme-v02.api.letsencrypt.org/acme/acct/1434949786	OK
lemmy.4d2.org	9A:D2:9B:DE:4B:97:42:DE7B:0D:15:86:A8:FD:96:29:85:55:43:DD:A0:60:B7:A3:C3:F0:F5:9C:C4:B5:00:61:9A:D2:9B:DE:4B:97:42:DE	9A:D2:9B:DE:4B:97:42:DE7B:0D:15:86:A8:FD:96:29:85:55:43:DD:A0:60:B7:A3:C3:F0:F5:9C:C4:B5:00:61:9A:D2:9B:DE:4B:97:42:DE	Dec 19 21:39:04 2025Sep 20 21:39:05 2025 - Dec 19 21:39:04 2025	Dec 19 21:39:04 2025Sep 20 21:39:05 2025 - Dec 19 21:39:04 2025	2055798447https://acme-v02.api.letsencrypt.org/acme/acct/2055798447	OK
matrix.4d2.org	45:15:B0:FD:DF:A9:90:9C60:80:D9:7E:2F:79:58:F6:68:1D:D2:9C:AB:AF:6E:6B:AF:DF:D4:7A:53:72:6E:73:45:15:B0:FD:DF:A9:90:9C	45:15:B0:FD:DF:A9:90:9C60:80:D9:7E:2F:79:58:F6:68:1D:D2:9C:AB:AF:6E:6B:AF:DF:D4:7A:53:72:6E:73:45:15:B0:FD:DF:A9:90:9C	Dec 20 21:35:42 2025Sep 21 21:35:43 2025 - Dec 20 21:35:42 2025	Dec 20 21:35:42 2025Sep 21 21:35:43 2025 - Dec 20 21:35:42 2025	1434949786https://acme-v02.api.letsencrypt.org/acme/acct/1434949786	OK
pad.4d2.org	B9:12:B9:6E:55:49:B9:3251:3E:D8:63:26:14:2C:23:3A:B4:46:46:FB:5E:CE:D4:22:78:B2:E6:61:78:9E:C1:B9:12:B9:6E:55:49:B9:32	B9:12:B9:6E:55:49:B9:3251:3E:D8:63:26:14:2C:23:3A:B4:46:46:FB:5E:CE:D4:22:78:B2:E6:61:78:9E:C1:B9:12:B9:6E:55:49:B9:32	Nov 10 06:08:03 2025Aug 12 06:08:04 2025 - Nov 10 06:08:03 2025	Nov 10 06:08:03 2025Aug 12 06:08:04 2025 - Nov 10 06:08:03 2025	1914608496https://acme-v02.api.letsencrypt.org/acme/acct/1914608496	OK
padsbx.4d2.org	B9:12:B9:6E:55:49:B9:3251:3E:D8:63:26:14:2C:23:3A:B4:46:46:FB:5E:CE:D4:22:78:B2:E6:61:78:9E:C1:B9:12:B9:6E:55:49:B9:32	B9:12:B9:6E:55:49:B9:3251:3E:D8:63:26:14:2C:23:3A:B4:46:46:FB:5E:CE:D4:22:78:B2:E6:61:78:9E:C1:B9:12:B9:6E:55:49:B9:32	Nov 10 06:08:03 2025Aug 12 06:08:04 2025 - Nov 10 06:08:03 2025	Nov 10 06:08:03 2025Aug 12 06:08:04 2025 - Nov 10 06:08:03 2025	1914608496https://acme-v02.api.letsencrypt.org/acme/acct/1914608496	OK
vault.4d2.org	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	F7:E2:A6:3C:A9:56:7D:E2B1:31:08:A1:E4:22:20:60:DD:08:08:11:7C:17:86:FA:F9:D6:08:5A:C5:C4:2B:AA:F7:E2:A6:3C:A9:56:7D:E2	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	Dec 19 21:25:10 2025Sep 20 21:25:11 2025 - Dec 19 21:25:10 2025	76782206https://acme-v02.api.letsencrypt.org/acme/acct/76782206	OK
video.4d2.org	9A:D2:9B:DE:4B:97:42:DE7B:0D:15:86:A8:FD:96:29:85:55:43:DD:A0:60:B7:A3:C3:F0:F5:9C:C4:B5:00:61:9A:D2:9B:DE:4B:97:42:DE	9A:D2:9B:DE:4B:97:42:DE7B:0D:15:86:A8:FD:96:29:85:55:43:DD:A0:60:B7:A3:C3:F0:F5:9C:C4:B5:00:61:9A:D2:9B:DE:4B:97:42:DE	Dec 19 21:39:04 2025Sep 20 21:39:05 2025 - Dec 19 21:39:04 2025	Dec 19 21:39:04 2025Sep 20 21:39:05 2025 - Dec 19 21:39:04 2025	2055798447https://acme-v02.api.letsencrypt.org/acme/acct/2055798447	OK

Service Name

Local Fingerprint

Fingerprint to Client

Local Expiry

Expiry to Client

LE Account ID

Trust?

4d2.link

4d2.org

4d2.social

4d2.su

bayard.4d2.org

bbs.4d2.org

cinny.4d2.org

depot.4d2.org

element.4d2.org

jitsi.4d2.org

lemmy.4d2.org

matrix.4d2.org

pad.4d2.org

padsbx.4d2.org

vault.4d2.org

video.4d2.org

What attacks are still possible, and how do I mitigate them?

This site or server could be compromised and our code changed to display false results
- Verify the SHA-256 fingerprints on this page against your own browser and against the crt.sh database
- Compare the sent and received UUIDs above to ensure they match and are rotating every 10 minutes
- Verify that sent UUIDs are linked directly from remote servers, and that received UUIDs are embedded in this page
The admins could be coerced into deliberately breaking this app
- Keep an eye on the warrant canary
- Keep your threat model realistic - this is unlikely as we're not a haven for criminality
We could be an elaborate corporate honeypot hellbent on collecting your personal data
- Only discuss sensitive topics over end-to-end encrypted services like Matrix or PGP email
The SHA-256 algorithm could be broken in some way not yet publicly known
- Relax, because you and the rest of the internet will soon have much bigger problems to worry about
And infinitely many more, depending on your level of paranoia...
- Consider a refreshing cup of chamomile tea

How can I find out right away if there's a new security problem?
You can install our Proof of Security Client on a machine you own and schedule it to run regularly.

Back to 4d2 dot org