[jerrythegerbil]

More frequent renewals pose various architectural problems, but it makes “lawful” TLS intercepts harder to execute without going unnoticed.

TLS intercepts with CA signed certificates can and been carried out. The undertone in previous reporting indicates that the execution depends on a mechanism that doesn’t have 100% reliability across renewal cycles, and shorter lifespans will make that more difficult to carry out without ostensibly visible warnings to the user.

It’s a headache, but you are supposed to be monitoring Certificate Transparency logs for rogue certificates. Barring that, shorter validity is a way to address it.

https://notes.valdikss.org.ru/jabber.ru-mitm/

[gzread]

The mechanism was physical MITM of the server's network connection - they can 100% reliably get certificates issued since the domain name "legitimately" points to the MITM device at that point.

[Bender]

TLS intercepts harder to execute without going unnoticed.

I would expect the opposite. Certs and their fingerprints changing every few days would numb people to TLS changes. MitM would only get noticed if the expected cert is presented at the application layer which is a thing in jabber from your link above, IF it is enabled which it was not and why that MitM went unnoticed for so long. LetsEncrypt is just a DV cert so a cert being issued by other org for the same domain would not raise eyebrows at all. AFAIK no other web daemons in wide use support things like OMEMO/SSL SCRAM though it would be awesome if everyone was hosting their own jabber instances.

In a semi-private forum the fingerprint can be in a pinned comment along with the curl command for members to fetch it but that would have to be updated every few days and someone would have to bother to verify it each time. Doing this weekly could lead to fatigue.