Home Page Navigation Contents Contact Sitemap Search
HomeLogging in/outChecking certificates

Checking cer­tifi­cates

Dig­ital cer­tifi­cates are used to encrypt con­nec­tions and pro­vide those using them with the cer­tainty that they are con­nected to the cor­rect web­site. How­ever, they are also used by fraud­u­lent web­sites, so it is impor­tant to check they are actu­ally gen­uine, espe­cially when e‑banking.

Pro­tect your­self by...

  • always entering your finan­cial institution’s Internet address (URL) man­u­ally into your browser address line.
  • paying proper atten­tion to any warning mes­sages and error alerts appearing when estab­lishing a con­nec­tion, and can­celling the process if needs be.
  • making sure that the address line is marked with a lock symbol.
  • checking whether the cer­tifi­cate was explic­itly issued for the finan­cial institution’s name (this is dis­played after you click the lock symbol, under “Issued for”).
  • ver­i­fying that the Internet address (URL) con­tains the cor­rect domain name of your finan­cial insti­tu­tion and is spelled cor­rectly (fur­ther infor­ma­tion on the struc­ture of Internet addresses (URLs) can be found here).
  • only entering your per­sonal access data once the cer­tifi­cate has suc­cess­fully been checked.

Pro­tec­tion pro­vided and risks inherent in certificates

Every browser auto­mat­i­cally checks TLS cer­tifi­cates for authen­ticity and validity when estab­lishing a con­nec­tion, and only dis­plays the target web­site once this check suc­cess­fully ver­i­fied the web­site as cor­rect and as dis­playing without any error notifications.

Since an ever increasing number of faked finan­cial insti­tu­tion web­sites how­ever are also fitted with a valid TLS cer­tifi­cate for phishing pur­poses, it is not suf­fi­cient just for the browser to check a cer­tifi­cate to make absolutely sure you are on the cor­rect website.

You should there­fore always enter your finan­cial institution’s Internet address (URL) man­u­ally into your browser’s address line, and check the cer­tifi­cate before starting any e-banking session!

Checking cer­tifi­cates in your browser

Gen­er­ally, your browser must not dis­play any error mes­sages when changing over to a pro­tected con­nec­tion. Oth­er­wise, there is some­thing wrong with the cer­tifi­cate or the con­nec­tion, and you should imme­di­ately ter­mi­nate the connection.

You should there­fore never man­u­ally con­tinue to estab­lish a con­nec­tion if any warning notices or error mes­sages are displayed!

TLS con­nec­tion which has been cor­rectly estab­lished with the proper web­site and which is based on an authentic and valid cer­tifi­cate – i.e. a secure con­nec­tion – can be recog­nised by the fol­lowing three clear browser characteristics:

  1. A lock symbol in the address line
    This con­nec­tion was encrypted using a valid TLS certificate.
  2. The cor­rect finan­cial institution’s name (this is dis­played after clicking the lock symbol, under “Issued for”) 
    The iden­tify of the cer­tifi­cate owner (the bank) has been confirmed.
  3. Cor­rect domain name and cor­rect spelling of the Internet address (URL)
    You are actu­ally on the finan­cial institution’s website.
    You can read up on how an Internet address is struc­tured here.

Google Chrome:

Microsoft Edge:

Mozilla Firefox:

Apple Safari:

The spe­cific dis­play of these char­ac­ter­is­tics dif­fers slightly from one browser to the next. You can read up on it under our instruc­tions for the most common browsers.

Checking cer­tifi­cates using finger prints

Man­u­ally checking the authen­ticity of a cer­tifi­cate pro­vides even more secu­rity, even if it is a bit more labo­rious. In this case, the “finger print” dis­played in the browser has to agree with the finger print pub­lished by the finan­cial institution.

If a finger print cannot be iden­ti­fied, you must imme­di­ately ter­mi­nate the connection!

The finger prints of the e-banking log-in pages of our partner banks plus detailed instruc­tions on how to check these finger prints with the help of var­ious browsers can be found on our “eBanking – but secure!” website.

E-banking facil­i­ties use dig­ital cer­tifi­cates to safe­guard that the web server accessed is actu­ally gen­uine, and to encrypt com­mu­ni­ca­tion chan­nels con­necting to servers. They employ the TLS pro­tocol  (the suc­cessor to the SSL pro­tocol) to do so. They are there­fore also called “TLS cer­tifi­cates” and “TLS con­nec­tions” for short.

It only takes a few steps to check whether a con­nec­tion is pro­tected as it should be.

Fur­ther infor­ma­tion for those interested

TLS con­nec­tion oper­ating principle

In gen­eral, the TLS pro­tocol is the one most fre­quently used to estab­lish a secure con­nec­tion to a web server. This is com­mu­ni­ca­tions tech­nology which encrypts infor­ma­tion to be trans­mitted so it cannot be cap­tured. At the same time, it guar­an­tees the authen­ticity of the web server to which you are con­necting, i.e. that the web server is genuine.

The basis of the pro­tec­tion pro­vided is a so-called dig­ital cer­tifi­cate issued by a trust­worthy body – a cer­ti­fi­ca­tion body – for a web server.

Since it can only be guar­an­teed that the web server is gen­uine and cannot be eaves­dropped on for as long as the cer­tifi­cate under­lying the TLS con­nec­tion is authentic and valid, cer­tifi­cate checking plays a cen­tral role here.

Checking cer­tifi­cates with browser support

When browsers estab­lish a TLS con­nec­tion, they verify the fol­lowing cer­tifi­cate properties:

  • Trust­wor­thi­ness of the cer­tifi­cate issuer: The cer­tifi­cate was issued by a trust­worthy cer­ti­fi­ca­tion body (i.e. it was dig­i­tally signed by this body). These checks safe­guard that the cer­tifi­cate is genuine.
  • Cer­tifi­cate validity: The cer­tifi­cate has not expired and has not been declared invalid (has been revoked) before its expiry date.
  • Web server address: The web server address pro­vided in the cer­tifi­cate agrees with the address used in the actual browser address field.

Only once these three checks have been suc­cess­fully con­cluded will there be no error mes­sages dis­played by the browser when estab­lishing a TLS connection.

Ver­i­fi­ca­tion of the above cer­tifi­cate prop­er­ties by browsers offers a great degree of secu­rity, can how­ever never iden­tify cer­tifi­cates which were issued by a cer­tifi­cate body to a fraud­ster due to insuf­fi­cient appli­cant checks. A few fraud cases of this kind did emerge.

Since fraud­sters are highly likely to choose an address for their cer­tifi­cates which dif­fers from the one of the actual target (finan­cial insti­tu­tion), such improp­erly issued cer­tifi­cates can be iden­ti­fied by checking the Internet address (URL) dis­played in the browser.

To this end, users will have to iden­tify whether the domain name of the address actu­ally belongs to the organ­i­sa­tion they want to con­tact (e. g. a finan­cial insti­tu­tion). Many browsers graph­i­cally under­line this part of the address to make ver­i­fi­ca­tion easier (for instance in bold or deep black letters).

Checking cer­tifi­cates by com­paring finger prints

Every TLS con­nec­tion user can check the authen­ticity of the cer­tifi­cate under­lying a con­nec­tion man­u­ally. To this end, they will have to verify the cer­tifi­cate finger print.

A finger print is usu­ally dis­played as a hexa­dec­imal char­acter string con­sisting of the let­ters A-F (although no dif­fer­en­ti­a­tion is made between upper­case and low­er­case let­ters) and the num­bers 0-9.

Finger prints can be ver­i­fied by man­u­ally com­paring this char­acter set with a ref­er­ence set which users will have received from their finan­cial insti­tu­tion. If the char­acter sequence read from the cer­tifi­cate and the ref­er­ence sequence received from a finan­cial insti­tu­tion are iden­tical, this is a gen­uine certificate.

Pro­vided that the char­acter set received from a finan­cial insti­tu­tion is gen­uine, man­u­ally checking a finger print is there­fore the most secure method of checking certificates.

There is then no need to addi­tion­ally check the Internet address (URL) as described above for cer­tifi­cate checking with browser support.

You might also be interested in these articles:

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information