Functionality SSL, TLS

In connection with digital technology, it is no longer a question of records à la Olympia according to the motto "faster, higher, further". The performance of end devices, the ever faster transfer rates or the variety of convenient apps are one thing. Another thing is that when we surf the Internet, use social media and other services, we reveal facts about ourselves practically every second, which should not get into everyone's hands. This includes addresses, bank accounts, credit card numbers and other sensitive data.

The key word of the hour is rather: security. Or: How can I actively and passively ensure that the data I disclose via the Internet and send around the globe is protected against improper access by third parties? This is where functions such as SSL and TLS, encryption methods designed to ensure that I can travel securely in the digital world, come in handy.

How an SSL Certificate works

SSL (Secure Sockets Layer) is a protocol for the authentication and encryption of connections on the Internet. The original SSL procedure is now obsolete and has been replaced by TLS (Transport Layer Security). However, the term SSL has remained in common parlance until today.

To explain how it works, let's take as an example the order of a customer in a online shop. An encrypted SSL connection is always established by the client (here the customer). The first step is the so-called handshake, in which an encryption parameter is generated for the session. The store's server then responds by sending its public key to the client with its SSL certificate. This in turn sends the Certificate authenticated on the basis of a list of known CAs - Certificate or Certification Authority = certification authority for digital certificates. If the CA is not known, most browsers open a window that gives the user the option of accepting or rejecting the certificate on his own responsibility.

Now the client generates a symmetric key, which is encrypted with the public key of the server and sends it back. Then both client and server know the code for encrypting the user data, and the secure connection is established.

Differences between common SSL Certificates

There are several variants of SSL Certificates, depending on the needs of the applicant and also varying in price. Factors are for example the encryption strength (the default values are 128 Bit or 256 Bit), the type of validation as well as the browser compatibility or acceptance.

Domain validated certificates (Domain Validation)

Domain-validated certificates have the widest distribution. Using regulated e-mail traffic, the certification authority checks whether the applicant for an SSL certificate is really the owner of the domain. After confirmation, the certificate is issued within a very short time. This variant is mostly used for small websites, blogs, forums, mail servers and intranet applications and is the cheapest alternative.

Organization Validated Certificates (Organization Validation)

The process is somewhat more complicated with an organisation-validated certificate. Here, not only the domain is checked, but also the identity is verified. The website operator - usually a company - must prove with certain documents that he is really the domain owner. The identity check for the certificate varies from provider to provider. Normally, an extract from the commercial register is required, a comparison with the bank data is carried out and a telephone contact is established between the applicant and the provider. Organization-validated certificates are suitable for company websites, web shops and webmail.

extended validation

A third version is the Extended Validation. Websites certified in this way can be recognized by the green font in the address line of the browser. This visual feedback indicates that the connection is particularly trustworthy. Those who process their payment transactions via online banking know this from banks and savings banks. Here, the certification authority proceeds in a similar way to organisation-validated certificates, but additionally checks whether the applicant is really an employee of the respective company and has the authorisation to acquire an Extended Validation Certificate.

EV-certificates are generally encrypted with 256 bit and achieve the highest possible acceptance by all browsers. In addition to the green font already mentioned, the address line also shows the name and headquarters of the company.

Which certification body is the right one?

There are a large number of Certificate Authorities (CA) in different countries, so it is easy for a prospective customer to lose track. Often it is not possible to find out which company or government agency is behind them. Critics now speak of a "certification lottery", which offers little transparency and trustworthiness. In any case, Bundesdruckerei with its subsidiary D-Trust is completely in German hands. Many other agencies work with US-American intermediate certificates, but since the affair with the secret service NSA, at the latest, one has to have doubts as to whether one's own data is really protected by these certificates.

Google prefers pages with SSL encryption

In 2014, Google announced that the search engine now has an algorithm that gives SSL-certified pages preferential treatment and gives them a higher ranking than pages without a certificate. Among connoisseurs at the time, this step was regarded as downright sensational, because Google usually keeps completely silent about the nature and mode of operation of its algorithms. However, the company has set out to improve Internet security more and more. This was probably the reason for the public statement.

A look into the future of encryption

A forward-looking project regarding encryption is "Let's Encrypt", which is being driven by the Californian Internet Security Research Group (ISRG). This should make it possible in the future for every website operator to provide his domain with an SSL certificate in a simple way and completely free of charge, which is regarded and accepted as trustworthy by the common browsers. Encrypted HTTPS connections could thus soon become the web standard and provide more security and data protection. Members of the ISRG are the Mozilla Foundation, Cisco, Akamai, and the Electronic Frontier Foundation.