What is an SSL certificate?
Thanks to the Internet, it's easy to get your shopping, banking and even a growing number of administrative tasks done online. However, this entails two major risks: the Internet is completely anonymous and data traffic can be intercepted. An extendable qualified SSL certificate, which can be issued for one or more years, helps resolve this issue by identifying your business partner and simultaneously encrypting the transmitted data.
What is an SSL certificate, how does it work - and what do I need it for?
The internet is continually gaining ground, and with it the endless possibilities that it generates. Virtual shops, auction houses, casinos and financial institutions are already the norm, private individuals can submit their tax declarations digitally (while more and more companies are even obliged to do so by law), and an electronic commercial register is being implemented. The days of the World Wide Web as little more than a giant reference book for facts or a purely military communication tool during the Cold War are long gone. Nowadays, the internet is where most of the dealings of our everyday life take place - and among them, many dealings of a more delicate nature.
In some areas, confidentiality is crucial. When using an ATM, for instance, you wouldn't appreciate someone looking over your shoulder or, even worse, stealing your PIN number. No one would even dream of displaying their income tax on the bulletin board of the tax office. When buying books or CDs, we expect no one but the seller to receive payment - it would be unacceptable for anyone else to wrongfully gain access to our hard-earned money. In real life, a certain amount of care, common sense and caution (as well as an adequate dose of mistrust) seems to do the trick when trying to avoid the aforementioned inconveniences. But what about the digital, boundless and moreover completely anonymous internet? It is almost a given for people to take on fake identities and tell fantastical stories about their life and achievements in chat rooms. Organized scammers lure unsuspecting clients onto deceptively real-looking (but sadly fake) websites in order to gain access to their PIN and TAN numbers, leaving behind little more than an empty bank account. Anyone who connects their computer to a wireless network is handed whatever data is being sent on a silver platter. The radio signals are, so to speak, in plain sight: unencrypted, publicly emitted like binary morse signals, not unlike a radio broadcast for all to enjoy. An invitation to identity theft if ever there was one.
Does it have to be this way?
No. The first step toward data security was the introduction of the "HyperText Transfer Protocol Secure" in 1994. The user will recognize it from the address bar of their browser: the name of the domain or the website is no longer preceded by "http", but rather by "https", often combined with a symbolic padlock or highlighted in a noticeable color, depending on its origin. Because the necessary protocols have been pre-built into the browser software, HTTPS works on practically every web-enabled computer. It functions in two ways: first, it encrypts the data which needs to be transmitted into 128 or 256-bit blocks without the need for additional computer software.
Second, it checks whether the partner in question is actually who they claim to be. This authentication makes it extremely difficult for phishing attacks to occur, as it redirects them to recreated websites. Consequently, financial institutes ensure that any online banking transactions are strictly processed via an HTTPS server. Auction houses rely on it for the user's registration, at the very least, although they transmit transaction data without any added encoding in order to increase computer speed. Other shops leave it up to the user to log in via the encrypted HTTPS or the unencrypted HTTP. When connecting via an HTTPS server, SSL is added into the mix - the "Secure Sockets Layer". In simple terms, the first thing that happens is the overlap of a second connection called "SSL Record Protocol" over the existing connection.
This protocol (which, as its name implies, is purely there for recording purposes) ensures the encoding between both computers and checks whether the data entered on one side exits the other side unaltered. In order to achieve this, it calculates check digits from the transmitted data in regular intervals, adds them and adjusts them on both sides of the connection. Before the first data is exchanged, the "SSL Handshake Protocol" (manifestly named for the customary handshake at greetings) transmits the personal identification data of the parties involved and negotiates both the fragmenting as well as the encoding process to be used during the connection. In other words, both computers agree on the code and the uniform size of the data packets destined for transmission. From now on, there is a flow of encoded snippets of information through symmetrical algorithms (i. e. sender and receiver use one and the same approach for encoding and decoding). These snippets are decoded, assembled and made legible to the user by the receiving computer.
The SSL certificate makes an appearance during this "handshake". It's a sort of digital ID card issued by a certificate authority or "CA" which allocates a public signature verification key to a specific person or organization. The CA certifies this allocation by giving it its own digital signature. In other words: if someone uses a certain code on the internet, it is possible to deduce and confirm who they are based on its composition. Whether such an identification is enough, and whether a digital signature can be recognized as a confirmation of the declaration of intent in legal dealings, is a substantial issue. Since the internet isn't supposed to be a legal vacuum, this is of great significance from a legal perspective. Because of this, in the Federal Republic of Germany, the so-called "Signaturgesetz" from 2001, along with the "Signaturverordnung", governs any matters of SSL certificates and digital signatures. The Federal Network Agency, or "Bundesnetzagentur", is the regulatory agency and principal certificate authority, which in turn has designated further accredited certificate authorities. These are nationally verified and provided with quality marks - most notably bar associations and associations of notaries, tax accountants and auditors. However, companies organized under private law, such as the Deutsche Telekom, Deutsche Post and DATEV, have also been granted approval. In order to become established as a private certificate authority ("Zertifizierungsanbieter"), a company must declare the launch of their business to the Federal Network Agency - no further permits are necessary. Proof of their required reliability and specialist knowledge must be provided, though, and a liability insurance with a limit of at least 250,000 euros per claim must also be taken out. Furthermore, a comprehensive concept must document the planning and full implementation of any necessary safety precautions (against hacking of a database or falsification of a certificate, to name but a few).
Included in these are not only the technical, structural and organizational measures taken, but also the software and hardware put to use (along with the clearance certificates of their manufacturers), the implementation and execution of the certification procedure, emergency plans, and reliability checks of the employees (through examination of their certificates of conduct or the like). Such a provider may issue electronic certificates which confirm the identity of a natural or legal person by means of an unambiguous signature verification key allocated to them. In the case of a qualified certificate, things go one step further: it constitutes the highest and uniformly accepted form of identification in a business transaction and refers only to natural persons. This approach resembles that of a notarial certification in a way. In order for such a certificate to be issued, the applicant must be identified without any doubt through their ID card or passport, if need be through their birth certificate. This SSL certificate can use a pseudonym in lieu of a name, contain additional personal or professional information and refer to the power of representation by a third party - data which must be confirmed on the basis of suitable records and attestations, checked by the provider and is naturally subject to data protection law.
The applicant must be given written instructions concerning the fact that their electronic signature has the same consequences as their genuine signature in legal dealings. The same applies to comprehensive information about storage and use of the digital signature; correct conduct in the case of loss or presumed misuse; pertinent safety precautions when generating or checking a signature; possible restrictions to the qualified certificate depending on type and scale; the necessity for a renewed signature after time has elapsed; the presence of voluntary accreditation systems (see below); opportunities for complaints and arbitration; as well as the approach and procedure involved in the cancellation of a certificate, submitted with a telephone number. These instructions must be signed by the applicant. Hereafter, the applicant receives a data carrier with a personal digital signature - its receipt must also be recorded in writing. Qualified certificates are valid for a maximum of up to two years, while SSL certificates are consistently valid for one year. Each has its own consecutive number, confirms the allocation of the signature verification key to the identified person, names the applied algorithm, and provides information about the exact validity and possible restrictions to its use, as well as the name and country of establishment of the certificate authority in question. The provider must make the certificate available and verifiable to the owner (online and around the clock), if requested - thereby, the desired identification and encoding on the World Wide Web has been achieved. However, the provider's responsibility does not end once the certificate has been made available. In fact, the provider must document the data and the authenticity of the certificates at all time, verifiably and immutably. This also applies to their business procedures: they are obliged to manage an archive which not only documents basic things like their security concept, certificates of conduct of their employees and contractual agreements (general terms and conditions) with applicants, but also any essential information about each and every certificate. This includes a copy of the personal ID; the pseudonym; proof of receipt of instructions as well as of the data carrier; all written agreements and confirmations referring to additional information concerning the qualified certificate; the issued certificate along with any relevant information about it; a possible cancellation; and, finally, possible information transmitted to the authorities according to data protection law. The entirety of this information must be stored for another two years after certificates are no longer valid. If the provider discontinues their business, they must ensure acquisition of the certificates by another provider; failing to do so, they must be canceled.
What is a SSL certificate, how it works - and why do we need it?
Das Internet wächst stetig und mit ihm die beinahe grenzenlosen Möglichkeiten, die es bietet.Virtuelle Shops, Auktionshäuser, Spielcasinos und Geldinstitute sind inzwischen bereits Routine, Privatpersonen können ihre Steuererklärungen in digitaler Form abgeben (Unternehmen werden vom Gesetzgeber zunehmend dazu verpflichtet), das elektronische Handelsregister ist in der Umsetzung - die Zeiten, in denen das WorldWideWeb lediglich eine Art riesiges Nachschlagewerk für Informationen und eine rein militärische Kommunikationsplattform des Kalten Krieges war, sind längst vorbei. Stattdessen übernimmt es zusehends die Geschäfte des Alltags. Darunter auch solche delikater Natur.
Es gibt Bereiche, in denen Vertraulichkeit oberstes Gebot ist. Wer beispielsweise am Geldautomaten seine Bankgeschäfte tätigt, möchte nicht, dass ihm jemand über die Schulter schaut oder gar die Geheimnummer stibitzt. Niemand käme auf den Gedanken, seine Einkommensteuer am Schwarzen Brett des Finanzamts zu veröffentlichen. Wer irgendwo Bücher oder CDs erwirbt, möchte sichergehen, dass allein der Verkäufer das Entgelt bekommt - und niemand anders unrechtmäßig die bezahlten Euro abzweigt. Im realen Leben lässt sich das alles mit entsprechender Sorgfalt, gesundem Menschenverstand und angemessenem latenten Misstrauen einigermaßen problemlos bewerkstelligen.
Doch was ist mit dem digitalen, uferlosen, dazu noch vollkommen anonymen Internet? In
Chaträumen nehmen die Personen wie selbstverständlich andere Identitäten an und erzählen fantastische Lebensgeschichten. Organisierte Betrüger locken ahnungslose Bankkunden auf täuschend echt gemachte, nur leider gefälschte Webseiten und versuchen so, an die PINs und TANs des Nutzers zu kommen, um mit ihnen sein Girokonto leer zu räumen. Drahtlose Netzwerke, sogenannte Wireless-LAN, offenbaren jedem, der einen eigenen Computer dazwischenhält, was gesendet wird - die Funksignale sind durchweg im Klartext, also unverschlüsselt, werden wie binäre Morsezeichen weithin hörbar wie eine
Rundfunksendung öffentlich ausgestrahlt und laden zum Raub der Identität förmlich ein.
Does it have to be like this?
No. The first step towards data security was the introduction of "HyperText Transfer" in 1994. Protocol Secure". The user recognizes it in the address line of his browser window: there the domain or the entered website name is no longer preceded by "http", but by "https", Depending on the manufacturer, usually combined with a symbolic padlock or with a with a striking color. HTTPS works - because the necessary protocols in the browser software
are already installed at the factory - on practically all Internet-enabled computers
and does two things: it usually encrypts the data to be transmitted at 128- or 256-bit level, without the need for additional software on the computer, and checks whether the partner is actually the one he pretends to be. This "authentication" makes it difficult to Phishing attacks by redirecting to reconstructed websites are of course uncommon.
Consequently, just financial institutions rigorously wrap the whole Internet banking traffic HTTPS server, auction houses at least the registration of the user, while the transaction data to increase the calculation speed without coded additional measures can be transmitted. Other shops, on the other hand, leave it to the user to decide whether he wants to encrypted over HTTPS or unencrypted over HTTP.
SSL comes into play when connecting via HTTPS server. SSL stands for "Secure Sockets Layer". and can be reasonably translated as "Safe Connection Layer". Simplified representation the following happens: a second connection named "SSL Record Protocol". This pure recording protocol provides the encryption between both computers and checks whether the data that is entered on one side is exactly
on the other hand, by regularly leaving the sent data, the data, add the check digits and compare the value at both ends of the connection.
Before the first data is exchanged, the "SSL Handshake Protocol" (named after the handshake to greet) transmits the personal identification data of the participants and negotiates both the fragmentation and encryption method to be used during the connection. In other words: both computers agree on the code and the uniform size of the data packets to be transmitted. From now on, coded bits of information flow through symmetrical algorithms (i. e. sender and receiver use one and the same procedure for encrypting and decrypting), which the receiving computer decodes, assembles and makes readable for the user.
Handshake" is where the SSL certificate appears. It is a kind of digital identity card issued by a Certificate Authority (CA) and a publicly accessible
Signature verification key of a specific person, or organization is assigned. This assignment is made by the certification/registration body by adding its digital signature to the certificate as well. In other words, if someone uses a certain code on the Internet, then can be clearly deduced from the composition and confirmed who he is.
Since the question of whether such identification is sufficient and whether a digital signature is appropriate in legal transactions to the confirmation of the declaration of intention is to be recognized, also from of extraordinary importance from a legal point of view - after all, the Internet is not intended to be a "Rechtsfrei Raum" - regulates in the Federal Republic of Germany the following the Signature Act of 2001 together with the Signature Ordinance all questions concerning SSL certificates and digital signatures.
The regulatory authority and supreme certification body is the Federal Network Agency, which for its part already further accredited (thus state examined and with quality mark certification bodies - mainly the chambers of lawyers, notaries, tax advisors and auditors, but also private law Companies such as Deutsche Telekom, Deutsche Post and DATEV were granted approval.
If you want to establish yourself on the market as a private "certification service provider" - as the correct term suggests - you have to start your business with the
Federal Network Agency, but otherwise does not require any further permits. However, he must prove that he possesses the necessary reliability and expertise, also a liability insurance with a coverage of at least 250,000 euros per claim.
In addition, a comprehensive concept must document that it has taken the necessary security measures, for example against unauthorised access to the databases or against unauthorised access to the data, and that it has taken the necessary steps to ensure that the data is protected against unauthorised access.