We should definitively warn (actually not accept) forbidden folders as watched folders. If it’s any consolation, they should be ignored since they are on the forbidden list. But they should not even be accepted. See https://bitbucket.org/axantum/axcrypt-net/issues/298/secured-folder-should-forbid-adding . Thanks!
As for SSL thumbprints, the thumbprint is not intended to be used for security, but for reference (i.e. to easily identify which certificate to use from a certificate store etc). You should only validate the certificate based on the trust.
An attacker can’t “inject fake tumbprints in real time”, it’s just a hash of the certificate, it’s not an integral part of the certificate.
Still, it doesn’t hurt, but the important part is really that it’s issued by the correct trusted authority. If you’d like to protect against various forms of man-in-the-middle scenarios, you should verify that it’s issued by the right authority – not any authority that your computer happens to trust, which may be more than you want – perhaps due to an attacker or your company having injected their own root certificate as trusted.
Anyway, see the updated https://www.axcrypt.net/cryptographic-hashes-files/ .