How certificates make digitalization more secure
published on 29.04.2020
The more often people access data when working from home and when out and about, the more important digital certificates become. That’s because these certificates provide the basis for trusted online communications.
Certificates: A real knowledge gap
Whether through necessity or conviction, Germans are now working quite a lot from home on their PCs. For some time now, banking and shopping have been moving online. And working from home has been given a boost that could very well change the way we work forever. To ensure that our electronic communications are also secure and legally recognized, we need digital certificates that provide the basis for authentication, encryption and signature procedures.
However, most people in this country seem to associate these certificates more with proof of successfully completed webinars. This was at least suggested by a representative survey conducted by Bundesdruckerei in 2018. According to the survey, only one in four German Internet users was able to explain what the term actually means.
Personal certificates: The basis for the digital self
This gap in knowledge and thus in security appears to have also existed in the corporate world in that same year. According to a survey conducted by techconsult and commissioned by Bundesdruckerei, 40 percent of German companies did not use any personal or organization certificates. These certificates can be used by employees at companies and public authorities to securely prove their identity in the digital world – both within the company and beyond.
They also ensure that only those who can identify themselves with their personal certificate can access an employer’s network, server or cloud. Personal certificates have a similar trust-building effect when communicating with other people: By encrypting messages, these certificates protect sensitive content from hackers. And because they are used to sign e‑mails, they also prove the identity of the sender. Consequently, digital certificates are the basis for electronic signatures and seals that reduce paperwork and protect documents from forgery.
Machine certificates: Trust in the factory
In times of Industry 4.0, however, it is by no means only people who need to trust each other. In the smart factory, machines work together completely autonomously. Machine A sends data that machine B needs for the next production step. To ensure that everything runs smoothly, the two devices also need identities and that’s where machine certificates come into play. They ensure that data can only be accessed by machines that are in fact authorized to do so. However, machine certificates are not only used to authenticate a device, just like personal certificates, they are also used to encrypt machine-to-machine communication (M2M).
TLS certificates: How trustworthy are websites?
Digital certificates therefore bring the right people together in the virtual world and are also paving the way for the smart factory. And, of course, they can also help to reduce people’s reservations regarding technology. In Hamburg and North Rhine-Westphalia, criminals launched fake websites on the net where companies could apply for alleged corona emergency aid. There was no money, but in return the companies did disclose highly sensitive data. That’s why it is so important to check for so-called TLS certificates (formerly also SSL certificates) in the browser. They guarantee that the institution or person behind a website is trustworthy.
For example, if you visit your bank’s website, you will at best see – depending on your browser – a green URL or, when you click on the small lock next to the URL, a text that could read ‘Connection secure – certificate issued for Bank XY’ will appear. The user can now enter their access data here without hesitation. The fact that TLS certificates encrypt important information should come as no surprise, as should the fact that a site that can prove its trustworthiness will have a better search engine ranking.
Admittedly, however, the quality of the TLS certificate is to a certain extent also important. That’s because there may be considerable differences in quality: In the case of domain-validated certificates (Domain Validation, in short DV), the certification authority only checks whether the applicant exercises control over the domain. The applicant’s identity is not important. That’s why these, sometimes free, IT certificates are often used to legitimize fake websites. Organization Validation (OV) certificates ensure that the organization behind the website owner actually exists. So-called Extended Validation (EV) certificates – the highest quality, so to speak – also require an individual identity check: Has the applicant really been authorized by the website owner? Has the organization already become conspicuous in spam campaigns? EV certificates provide security at the highest level, for instance, as needed in the world of finance.
The special case of QWACs: A European solution
The European Union’s eIDAS regulation once again created a special form for this highest quality class that is legally recognized throughout the EU: Qualified Website Certificates (QWACs). Their prominence has increased, above all, due to the EU’s PSD2 Payment Directive which requires that banks grant third-party providers access to their customer accounts via an interface (API).
Both the financial institutions and the accessing FinTechs have to use QWACs. Only companies with a place on the EU’s corresponding list of Qualified Trust Service Providers are permitted to issue these certificates, i.e. trust service providers: The first German representative to appear on this list with QWACs was D‑Trust, a Bundesdruckerei company.
PKI: Home to digital certificates
Trust service providers can manage something that is essential for digital certificates but sometimes very costly, i.e. the development and maintenance of a Public Key Infrastructure (PKI). This infrastructure is needed to create, manage and verify certificates. Anyone who wants to save a lot of work and money can have their PKI operated by qualified Trust Service Providers.