Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Some users were surprised to find out that we do not publish the fingerprints of our SSL certificates from SwissSign on our website. Some websites do, but we do not.
The reason for checking the fingerprints of SSL certificates would be to ensure that there is no ‘man in the middle’ who has activated the connection and manipulated the SSL connection with his own certificates.
However, a ‘man man in the middle’ middlewould at the same time also be able to change the content of the websites and replace the SSL fingerprint published on these sites with the SSL fingerprint he has used.
Any vigilant user wishing to check the SSL fingerprints would then see the compromised SSL fingerprints, which would match the manipulated certificate, and the user would be under the false impression that everything was perfectly fine, thereby exposing himself to risk. publishes its SSL fingerprints on a secure third channel. The technology we use for this is called DANE, which publishes SSL fingerprints in the DNS system of the domain. In order to prevent a ‘man in the middle’ from manipulating data, the data published here via the ‘DNSSEC’ DNSSECsystem is protected using in-house encrypted signatures. DANE/DNSSEC therefore provides a secure ‘second, independent medium’ through which the fingerprints of the SSL certificates can be published.

Modern browsers – or suitable plug-ins – can check a website’s DANE data and use independent, colored tags to inform the user about the authenticity of the SSL certificate. We have provided an explanation of DANE from in our blog.Alternatively, you can use an independent service to verify the SSL certificate, which can read the corresponding DNS entry for you - for example:

Content by Label
cqllabel in ("ssl","dnssec","certificate","dane","certificates","tls") and type = "page" and space = "MBOKBEN"
labelsssl certificate certificates dane tls dnssec