Send an email
SSL stands for "Secure Sockets Layer". When an SSL certificate is used, the data sent back and forth between a web server and a client is encrypted.
An SSL certificate can encrypt websites as well as emails. In the case of emails, it encrypts all mails sent between your provider and your computer to stop any unauthorized party from reading your messages - even if they succeeded in intercepting your data.
Thanks to the Internet, it's easy to get your shopping, banking and even a growing number of administrative tasks done online. However, this entails two major risks: the Internet is completely anonymous and data traffic can be intercepted. An extendable qualified SSL certificate, which can be issued for one or more years, helps resolve this issue by identifying your business partner and simultaneously encrypting the transmitted data.
What is an SSL certificate, how does it work - and what do I need it for?
The internet is continually gaining ground, and with it the endless possibilities that it generates. Virtual shops, auction houses, casinos and financial institutions are already the norm, private individuals can submit their tax declarations digitally (while more and more companies are even obliged to do so by law), and an electronic commercial register is being implemented. The days of the World Wide Web as little more than a giant reference book for facts or a purely military communication tool during the Cold War are long gone. Nowadays, the internet is where most of the dealings of our everyday life take place - and among them, many dealings of a more delicate nature.
In some areas, confidentiality is crucial. When using an ATM, for instance, you wouldn't appreciate someone looking over your shoulder or, even worse, stealing your PIN number. No one would even dream of displaying their income tax on the bulletin board of the tax office. When buying books or CDs, we expect no one but the seller to receive payment - it would be unacceptable for anyone else to wrongfully gain access to our hard-earned money. In real life, a certain amount of care, common sense and caution (as well as an adequate dose of mistrust) seems to do the trick when trying to avoid the aforementioned inconveniences. But what about the digital, boundless and moreover completely anonymous internet? It is almost a given for people to take on fake identities and tell fantastical stories about their life and achievements in chat rooms. Organized scammers lure unsuspecting clients onto deceptively real-looking (but sadly fake) websites in order to gain access to their PIN and TAN numbers, leaving behind little more than an empty bank account. Anyone who connects their computer to a wireless network is handed whatever data is being sent on a silver platter. The radio signals are, so to speak, in plain sight: unencrypted, publicly emitted like binary morse signals, not unlike a radio broadcast for all to enjoy. An invitation to identity theft if ever there was one.
Does it have to be this way?
No. The first step toward data security was the introduction of the "HyperText Transfer Protocol Secure" in 1994. The user will recognize it from the address bar of their browser: the name of the domain or the website is no longer preceded by "http", but rather by "https", often combined with a symbolic padlock or highlighted in a noticeable color, depending on its origin. Because the necessary protocols have been pre-built into the browser software, HTTPS works on practically every web-enabled computer. It functions in two ways: first, it encrypts the data which needs to be transmitted into 128 or 256-bit blocks without the need for additional computer software.
Second, it checks whether the partner in question is actually who they claim to be. This authentication makes it extremely difficult for phishing attacks to occur, as it redirects them to recreated websites. Consequently, financial institutes ensure that any online banking transactions are strictly processed via an HTTPS server. Auction houses rely on it for the user's registration, at the very least, although they transmit transaction data without any added encoding in order to increase computer speed. Other shops leave it up to the user to log in via the encrypted HTTPS or the unencrypted HTTP. When connecting via an HTTPS server, SSL is added into the mix - the "Secure Sockets Layer". In simple terms, the first thing that happens is the overlap of a second connection called "SSL Record Protocol" over the existing connection.
This protocol (which, as its name implies, is purely there for recording purposes) ensures the encoding between both computers and checks whether the data entered on one side exits the other side unaltered. In order to achieve this, it calculates check digits from the transmitted data in regular intervals, adds them and adjusts them on both sides of the connection. Before the first data is exchanged, the "SSL Handshake Protocol" (manifestly named for the customary handshake at greetings) transmits the personal identification data of the parties involved and negotiates both the fragmenting as well as the encoding process to be used during the connection. In other words, both computers agree on the code and the uniform size of the data packets destined for transmission. From now on, there is a flow of encoded snippets of information through symmetrical algorithms (i. e. sender and receiver use one and the same approach for encoding and decoding). These snippets are decoded, assembled and made legible to the user by the receiving computer.
The SSL certificate makes an appearance during this "handshake". It's a sort of digital ID card issued by a certificate authority or "CA" which allocates a public signature verification key to a specific person or organization. The CA certifies this allocation by giving it its own digital signature. In other words: if someone uses a certain code on the internet, it is possible to deduce and confirm who they are based on its composition. Whether such an identification is enough, and whether a digital signature can be recognized as a confirmation of the declaration of intent in legal dealings, is a substantial issue. Since the internet isn't supposed to be a legal vacuum, this is of great significance from a legal perspective. Because of this, in the Federal Republic of Germany, the so-called "Signaturgesetz" from 2001, along with the "Signaturverordnung", governs any matters of SSL certificates and digital signatures. The Federal Network Agency, or "Bundesnetzagentur", is the regulatory agency and principal certificate authority, which in turn has designated further accredited certificate authorities. These are nationally verified and provided with quality marks - most notably bar associations and associations of notaries, tax accountants and auditors. However, companies organized under private law, such as the Deutsche Telekom, Deutsche Post and DATEV, have also been granted approval. In order to become established as a private certificate authority ("Zertifizierungsanbieter"), a company must declare the launch of their business to the Federal Network Agency - no further permits are necessary. Proof of their required reliability and specialist knowledge must be provided, though, and a liability insurance with a limit of at least 250,000 euros per claim must also be taken out. Furthermore, a comprehensive concept must document the planning and full implementation of any necessary safety precautions (against hacking of a database or falsification of a certificate, to name but a few).
Included in these are not only the technical, structural and organizational measures taken, but also the software and hardware put to use (along with the clearance certificates of their manufacturers), the implementation and execution of the certification procedure, emergency plans, and reliability checks of the employees (through examination of their certificates of conduct or the like). Such a provider may issue electronic certificates which confirm the identity of a natural or legal person by means of an unambiguous signature verification key allocated to them. In the case of a qualified certificate, things go one step further: it constitutes the highest and uniformly accepted form of identification in a business transaction and refers only to natural persons. This approach resembles that of a notarial certification in a way. In order for such a certificate to be issued, the applicant must be identified without any doubt through their ID card or passport, if need be through their birth certificate. This SSL certificate can use a pseudonym in lieu of a name, contain additional personal or professional information and refer to the power of representation by a third party - data which must be confirmed on the basis of suitable records and attestations, checked by the provider and is naturally subject to data protection law.
The applicant must be given written instructions concerning the fact that their electronic signature has the same consequences as their genuine signature in legal dealings. The same applies to comprehensive information about storage and use of the digital signature; correct conduct in the case of loss or presumed misuse; pertinent safety precautions when generating or checking a signature; possible restrictions to the qualified certificate depending on type and scale; the necessity for a renewed signature after time has elapsed; the presence of voluntary accreditation systems (see below); opportunities for complaints and arbitration; as well as the approach and procedure involved in the cancellation of a certificate, submitted with a telephone number. These instructions must be signed by the applicant. Hereafter, the applicant receives a data carrier with a personal digital signature - its receipt must also be recorded in writing. Qualified certificates are valid for a maximum of up to five years, while SSL certificates are consistently valid for one year. Each has its own consecutive number, confirms the allocation of the signature verification key to the identified person, names the applied algorithm, and provides information about the exact validity and possible restrictions to its use, as well as the name and country of establishment of the certificate authority in question. The provider must make the certificate available and verifiable to the owner (online and around the clock), if requested - thereby, the desired identification and encoding on the World Wide Web has been achieved. However, the provider's responsibility does not end once the certificate has been made available. In fact, the provider must document the data and the authenticity of the certificates at all time, verifiably and immutably. This also applies to their business procedures: they are obliged to manage an archive which not only documents basic things like their security concept, certificates of conduct of their employees and contractual agreements (general terms and conditions) with applicants, but also any essential information about each and every certificate. This includes a copy of the personal ID; the pseudonym; proof of receipt of instructions as well as of the data carrier; all written agreements and confirmations referring to additional information concerning the qualified certificate; the issued certificate along with any relevant information about it; a possible cancellation; and, finally, possible information transmitted to the authorities according to data protection law. The entirety of this information must be stored for another five years after certificates are no longer valid. If the provider discontinues their business, they must ensure acquisition of the certificates by another provider; failing to do so, they must be canceled.
The certificate authority Let's Encrypt, which is mainly funded by the Mozilla Foundation, Google and Cisco, aims to make encrypted HTTPS connections the norm by offering free certificates. In the long run, this could lead to an increase in security and data protection on the internet.
In cooperation with this certificate authority (CA), we try do our part in securing the internet and sharing the benefits with our customers through our services - 100% free.
It's easy for users to tell whether a website is protected by an SSL certificate or not, just as it is to find its specific SSL status. The following signs point to an SSL certificate:
SSL certificates can be procured in a number of ways. One option is to get the certificate directly from a provider, i.e. a certificate authority. It is however easier and more convenient to order it from a web hosting provider. If, for instance, you choose checkdomain, you can order your certificate directly from the website - even if you are not a checkdomain customer (yet).
Our support team is ready to guide you through all the steps involved, be it technical requirements or necessary details. The required proofs or documents, ranging from a simple email confirmation to a copy of the trade register excerpt or the business registration, depend on the selected certificate.
Important: web hosts should ensure that they make a professional impression by opting for an SSL certificate from a trusted and well-known certificate authority such as Comodo. So-Called "self-signed certificates" which are offered for free do little to increase the user's trust.
The certificate is installed on the respective server which hosts the domain connected to the certificate. When a customer with a checkdomain hosting plan orders an SSL certificate, we take care of its installation - so you can sit back and relax. Concerning external certificates, i.e. ones ordered directly from a provider, please get in touch with your server administrator or web host beforehand.
When ordering an SSL certificate, it is important to check whether the company records correspond to the records for the domain owner at the relevant domain registrar for the domain in question. A WHOIS request is helpful to clarify whether the provided details are correct.
Depending on the certificate, the period of validity can last from one up to ten years. The option of an automatic renewal is always included. A crucial point for the trustworthiness of a website is the validity of its SSL certificate. If the certificate is expired, the user will be shown a safety notice - this could deter potential customers.
Send an email