An attacker can’t “inject fake tumbprints in real time”, it’s just a hash of the certificate, it’s not an integral part of the certificate.
I was meaning the attacker can inject the fake thumbprint onto your website as text if they’re using SSL interception tools. I know they can’t change the actual hash of the certificate because that’s computed.
I was suggesting that a really sophisticated attacker could strip the SSL, replace it with their own root certificate and then change any resulting text on your webapges. Very unlikely but possible. The far more common scenario is routine SSL stripping/interception.
I’ve seen the updated page – this is good now, thankyou. This makes it easy for users to check if their computer manufacturer or antivirus company is stripping ‘good’ SSL and replacing it with their own.