Using IBL is subject to a contract between the issuer and the SIX Swiss Exchange.
Each time a user accesses IBL, he or she must authenticate himself or
herself with a valid user name and password. Logging in opens
a 128-bit SSL connection between the IBL Web server and the client
(Microsoft Internet Explorer version 5.5 or higher; no other browsers are supported).
This is accomplished by means of a third-party server certificate (VeriSign).
A session ID replaces the user name and password as the authentication device;
the session ID is also SSL-encrypted and stored in an HTTP session cookie.
No client certificates are used. Session IDs become invalid when the user
logs out and after 60 minutes of idle time; the idle timer itself is reset
with each query. The system stores passwords only in the form
of MD5 digests.
The IBL system records user activity and application statuses in an audit trail.
The IBL server is located behind a firewall comprising two proxy servers;
this allows it to access the IBL database and the supplementary systems
that are required for further processing. The system is ensured against
failure and distributed among two separate facilities. An automated system
makes sure that defective components do not cause any interruptions in the
offered services and that no data is lost.