SSL certificates: importance and their differences

In today's internet-focused world, the SSL protocol is typically used for encrypted communication between browser and web server. Here, the browser establishes a connection to the web server, checks the stored SSL certificate and establishes an encrypted connection. This connection takes place immediately and automatically - so as a user of the website, nothing has to be done. SSL complies with the following information security principles:

• Encryption: protection of data transmission
• Authentication: Assurance that the connected server is the correct one.
• Data integrity: assurance that the data requested or submitted is that which was supplied.

Various security indicators, such as the lock symbol in the browser or the additional "s" for "Secure" in "https://" indicate an encrypted connection. By using SSL certificates, hackers cannot intercept the transmitted data and information. You should therefore never transmit questionable information such as credit card details and account registrations on an insecure website. In the worst case, attackers can get hold of this sensitive data.

SSL encryption is not mandatory for all website operators. However, since the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, it is mandatory for websites that request personal data using forms or online shops.

In the GDPR, the requirement for the secure, technical operation of websites and the associated data transfers is based on Article 5 (1) (f) of the GDPR. It states: "[...] processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss [...]". However, this also means that the certificate used must be of a certain quality. The minimum requirements for this have been laid down by the Federal Office for Information Technology (BSI) in its technical guideline BSI TR-03116 (as of 10.01.2020).

The forthcoming e-privacy regulation will also be a further legal standard that will set the direction. The e-privacy regulation will deal with data protection in the private sphere and explicitly in electronic communication and, in addition to the GDPR, will make further demands on encrypted communication.

In general, there are three variants of validation types, which fulfil different standards.

• Domain Validated SSL Certificates (DV) SSL certificates with domain validation use encryption with exclusive authentication of the domain. It is checked whether the client has rights of use for the domain. For this purpose,an e-mail robot sends a message to a WHOIS or alternative administrative address to confirm the order of the certificate.
• Organisation Validated SSL Certificates (OV) Identity certification or organisation validation uses full authentication of the company. The identity of the company and the domain ownership are checked. The SSL certificate confirms that the domain owner has verified himself to the certification authority. In the case of companies, proof of identity is provided by means of an extract from the commercial register or a trade licence, while in the case of private individuals, an identity card is requested. A further security check is carried out by comparing the company's telephone number as well as verification by telephone.
• Extended Validated SSL Certificates (EV) Extended Validation Certificates use a stricter authentication with the highest and most up-todate security standard available in the industry. These are primarily distinguished by a green address line with the name of the SSL-certified company and the certification authority. With these certificates, the highest possible browser acceptance is achieved.

A distinction is made between single, multi-domain and wildcard certificates. However, there are no differences in terms of security, as the encryption technology is identical.

• Individual certificates are used to secure a single domain. This can be the general domain name, such as www.beispieldomain.de.
• Multidomain certificates used to secure different domains, such as www.beispieldomain.de, example.de and www.beispiel.de, with only one certificate. These offer a cheaper alternative to purchasing several individual certificates.
• Wildcard certificates  protect any number of subdomains of a specific domain, for example smtp.beispiel.de, mail.beispiel.de and even the main domain beispiel.de. For organisations and companies, the wildcard SSL certificate shows itself to be a cost-effective way to secure individual subdomains. With wildcard certificates, the common name (CN) is specified as follows: *.example.de.