Second extended certificate
Created at 22.December 2015, 18:30 | Category: Blog
Dear Posteo users,
From now on, we are also deploying a second extended security certificate.
Such authenticated, “green security certificates” are used first and foremost by organisations that deal with sensitive data, such as banks. It can be seen on the left of our web address (https://posteo.de) in your browser (usually a key symbol with green background). In this way you can always recognise that you are actually on the Posteo website – and not some sort of phishing site. If you use a local email program, it will additionally check the security certificate before establishing an encrypted connection with Posteo – confirming the validity of the encryption partner. Email providers use certification authorities for this, who confirm the validity of a security certificate before an encrypted connection is established. OCSP is an additional security measure: An OCSP server confirms that a certificate has not been revoked.
We therefore use a second certificate
The reason for additionally deploying a second certificate is that the OCSP servers of the certification authority StartCom were not reliably reachable over the past few days. In some individual cases, this led to restrictions in programs that additionally check OCSP, such as Thunderbird and Firefox. We know that for this reason some of our users experienced an error when opening our website or working in a local email program. At Posteo itself, there was no problem at any time, and the security of your connections was not affected at any time. Because it is completely unacceptable to us that a problem at a single certification authority repeatedly affects our customers, we are from now on using a certificate certified by the Bundesdruckerei, which we had recently already created as a second certificate.
What a certification authority does
Email providers use certification authorities to confirm the validity of their certificates before an encrypted connection is established. A certifier in addition certifies the public key of a provider’s SSL certificate. It’s similar to a notary: After checking multiple documents, (including company registration, personal identity documents, telephone calls with us and our lawyers, etc) the certification authority confirms that the public key really does belong to the provider, in this case, therefore, to Posteo e.K. The certification authority does not create our certificate and/or key pair – we do this ourselves. They can therefore not manipulate or exchange the keys.
Our new certificate, certified by the Bundesdruckerei, conforms to current security standards and was signed using the SHA-256 algorithm.
If your browser, email program, smartphone or tablet happens to produce an error message due to an invalid certificate following our change, this is not due to an attack or an error. It merely means your program has the old certificate saved. In most cases, restarting the program or device should remedy this.
The “electronic fingerprints” for our new security certificate are:
SHA256: 6A:B1:9D:FB:FB:10:2E:D8:89:01:76:8C:B1:6B:61:13:A1:E3:B6:A5:47:D6:85:A3:FD:08:7F:11:DA:35:77:E7
SHA1: 8D:D7:97:B4:45:79:4D:EC:64:AE:D1:90:88:AC:B4:F4:5A:21:EA:6A
MD5: DA:CC:03:04:8C:E8:03:54:4F:6B:B2:2E:C2:ED:94:D8
You can also find the fingerprints for both certificates in our legal notice page. This information is only relevant for users who manually check our certificates.
If a program or system that you use does not have the Bundesdruckerei root certificate pre-installed and therefore does not trust the connection to Posteo, you can simply install it. It can be found for download from the Bundesdruckerei website. There, you can also find the fingerprint of the root certificate “D-TRUST Root Class 3 CA 2 EV 2009” on the downloads page, which we also publish here for comparison purposes:
SHA-256 EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81
SHA-1 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83
The Posteo domains that we use with the SSL certificate are in our possession. The entries of our name server in the DNS are also additionally secured with DNSSEC, to prevent manipulation. And using DANE anyone can check our key’s fingerprints without doubt.
Even if we did not have any influence over the disturbances caused by the error at the certification authority, we would still like to apologise if you were affected by this annoying problem.
Best regards,
The Posteo team