Green padlocks and company names: How certificates safeguard websites
Certificate type and issuer determine the security level.
- Certificate type and issuer determine the security level
- A high level of trust only when the identity of the organization is checked
- Google’s plans for certificates: Setback for the sovereignty of European Internet users
Berlin, 8 October 2018 – Google and other providers of Internet browsers are currently promoting the use of so-called SSL certificates. These enable encrypted data to be transferred between the Internet user’s computer and websites. Google’s browser Chrome, for instance, warns against unencrypted sites by displaying a “Not secure” message. This makes it all the more important for companies and public authorities to protect their own websites with SSL certificates or to update existing certificates. Many Certification Authorities (in short: CAs) offer different SSL certificate variants. In public-sector and commercial settings, Bundesdruckerei's IT security experts recommend certificate types that include proof of identity. “A website is only trusted and secure if the owner's identity has been checked and confirmed," says Dr. Kim Nguyen, Managing Director of Bundesdruckerei subsidiary D-TRUST, one of the largest certificate providers in the EU.
SSL certificates are issued by external certification authorities in various EU countries. This also includes the certification authority "Let's Encrypt", whose business model is based on issuing free certificates. These certificates, however, do not involve verifying the identity of the website owner. This means that cyber criminals can easily obtain these certificates and misuse data with fake websites. The Federal Office for Information Security (BSI) has been warning against "fake certificates" like these for years.
The trustworthiness of the certification authority is important
Europe’s “Regulation on electronic identification and trust services for electronic transactions in the internal market” (eIDAS) refers to certification authorities who provide a high level of trust as qualified trust service providers. To attain this status, trust service providers are required to implement stricter EU requirements and they are regularly monitored by the national supervisory authorities. Dr. Nguyen: “Qualified trust service providers are the European answer to the question: How can trust and security be established in insecure networks?”
Certificates differ in many ways
SSL certificates can be divided into the following types and security levels:
1. Domain-validated certificates
Domain validation (in short: DV) is the most widely used form of validation. It offers the lowest level of security. With this type of certificate, the certification authority checks by e-mail whether the customer is also the owner of the domain. The requester’s identity is not checked. This means that cyber criminals can easily get DV certificates for their fake websites. DV certificates are available free of charge or at low prices from certification authorities and web hosts.
2. Organization-validated certificates
With organization-validated SSL certificates (in short: OV), the identity of the organization is checked along with the domain. The owner of the domain provides documents, such as an excerpt from the commercial register, as proof of identity. In this way, misuse can be largely ruled out. OV certificates meet high security requirements and are therefore the first choice for company and government websites. They are issued against a fee by certification authorities and web hosts.
3. Extended validation certificates
So-called extended validation certificates (in short: EV) offer the highest level of security. In addition to checking the domain and the organization, these certificates require proof of identity from the requester. A check is carried out to ensure that this person is in fact employed by the company and is authorized to purchase an EV certificate. These certificates ensure security at a level similar to online banking. They are therefore mainly used by banks and insurance companies and also by some online shops. Like OV certificates, they are issued against a fee by certification authorities and web hosts.
Qualified website authentication certificates (in short: QWACs) are a special type of EV certificate. Technically speaking, they are the same as EV certificates, however, they have a particularly high degree of legal certainty throughout the EU. This is rooted in the eIDAS Regulation. “Qualified website certificates are interesting for applications with the highest security requirements. This includes banking according to the new EU payment directive, PSD2, as well as digital networking of registers at public authorities,” explains Dr. Nguyen. QWACs may only be issued by so-called qualified trust service providers based in the EU. D-TRUST is currently one of the few providers of QWACs in Europe.
Google’s plans restrict digital sovereignty of European users
Together with other browser providers, Google plans to remove to a large extent the information displayed to show users the type of certificate and hence the security level. This information includes, for instance, a green padlock or the organization name in green letters. If, in future, warnings are only displayed in the browser for non-encrypted SSL connections, Dr. Nguyen believes that this will encroach upon digital sovereignty in Europe: “European Internet users will not be able to see at a glance in the address bar who is behind a website," says Mr Nguyen. “If Google is successful, the incentive for website operators to use such secure OV certificates will decrease and users will be deprived of the additional information about the organization that is provided in the certificate.”
Graphic Website certificates
File size: 42.64 KB