SSL connection operating principle
In general, the TLS/SSL protocol is the one most frequently used to establish a secure connection to a web server. This is communications technology which encrypts information to be transmitted so it cannot be captured. At the same time, it guarantees the authenticity of the web server to which you are connecting, i.e. that the web server is genuine.
The basis of the protection provided is a so-called digital certificate issued by a trustworthy body - a certification body - for a web server.
Since it can only be guaranteed that the web server is genuine and cannot be eavesdropped on for as long as the certificate underlying the SSL connection is authentic and valid, certificate checking plays a central role here.
Checking certificates with browser support
When browsers establish a SSL connection, they verify the following certificate properties:
- Trustworthiness of the certificate issuer: The certificate was issued by a trustworthy certification body (i.e. it was digitally signed by this body). These checks safeguard that the certificate is genuine.
- Certificate validity: The certificate has not expired and has not been declared invalid (has been revoked) before its expiry date.
- Web server address: The web server address provided in the certificate agrees with the address used in the actual browser address field.
Only once these three checks have been successfully concluded will there be no error messages displayed by the browser when establishing a SSL connection.
Verification of the above certificate properties by browsers offers a great degree of security, can however never identify certificates which were issued by a certificate body to a fraudster due to insufficient applicant checks. A few fraud cases of this kind did emerge.
Since fraudsters are highly likely to choose an address for their certificates which differs from the one of the actual target (financial institution), such improperly issued certificates can be identified by checking the address displayed in the browser.
To this end, users will have to identify whether the so-called domain section of the address actually belongs to the organisation they want to contact (e. g. a financial institution). Current browsers graphically underline this part of the address to make verification easier (for instance in bold or deep black letters).
Checking certificates by comparing finger prints
Every SSL connection user can check the authenticity of the certificate underlying a connection manually. To this end, they will have to verify the certificate finger print.
A finger print is usually displayed as a hexadecimal character string consisting of the letters A-F (although no differentiation is made between uppercase and lowercase letters) and the numbers 0-9.
Finger prints can be verified by manually comparing this character set with a reference set which users will have received from their financial institution. If the character sequence read from the certificate and the reference sequence received from a financial institution are identical, this is a genuine certificate.
Provided that the character set received from a financial institution is genuine, manually checking a finger print is therefore the most secure method of checking certificates.
There is then no need to additionally check the address line as described for certificate checking with browser support.