Problematic SSL Website Certificate on the Official Website of the Bank of Israel

Problematic SSL Web Certificate on the Official Website of the Bank of Israel

Any website operator that wants to secure the site or some of it’s pages with SSL must obtain a valid certificate from a trusted third party CA. Without a valid SSL certificate any user who will try to surf to that site will receive a warning telling them that the certificate should not be trusted for validity.

When you try to surf to the official website for the Bank of Israel (Bank Israel) 

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

you will have an option to view the website in English or in Hebrew. The English version does not have SSL set up so we won’t use it here. Instead we will go to the Hebrew version:

We will click on the Information and Database icon:

Now, let’s go to the link that allows us to check the validity of other people’s ID numbers and restricted accounts:

Up to this point the surfing was done via regular un-encrypted HTTP (TCP port 80). We will now enter the ID number (Tehudat Zehut number) for the person I want to enquire about, and click Search (in Hebrew – Hapes):

A pop up Security Alert warning message will appear, telling me I’m about to enter a secure site. Good. I will now click Ok:

Hold on!!! What’s that??? Another security alert message, this time telling me that the source of the certificate protecting the site (need I remind you? The official website for the Bank of the state of Israel…) is coming from an untrusted source!

Wait! There is more: The certificate we’re about to use was created for a website that does not match with the name of the current website (it could be a hijacked website for example)!!!

I will try to view the certificate:

Going through the property pages of the certificate I find that this is in fact a demo (and not a stolen, thank God!) certificate created by (probably) Oracle, and used by the people that have built the site.

Accepting this demo certificate will indeed take you to the next page where you’ll be able to vie the results of your enquiry, but not without further security alerts:

Conclusion: Having respected sites like the Bank of Israel use expired or invalid demo certificates, or certificates from un-trusted CAs is somewhat irresponsible in my opinion. Any hacker or malicious user with little HTML, X500 and hacking knowledge can easily divert the innocent and un-expecting users to a malicious site (by breaking into the DNS servers that are authoritive for the domain) where he or she can easily create a similar digital certificate. Users will then be tempted to accept the certificate although it is clearly either expired or (what’s even worse) from un-trusted CA (one that the hacker himself can easily set up by using Bank Israel-like domain names). People who will surf on to the so-called secure site will then be giving this information to the hacker, which in turn can use this information to do wrong or even steal other information.

Final note: These screenshots were taken a long time before this article was first published. On the 20th of May 2004 I was contacted by a representative of the Bank of Israel and I was first able to talk, face to face (not via e-mail) to someone who claimed responsibility for the site. That person seemed unaware of the facts described here, and was, for some reason, unable to duplicate these errors on his machine . We’ll see how things turn out. I will keep you informed.

July 2004 Update: During one of my classes I wanted to demonstrate the importance of properly configured SSL certificates and I noticed that the website has been changed and that the problematic demo certificate has been removed. It seems that at last, after at least one year of nagging, someone has taken the time to fix this stupid misconfiguration.

Related articles

You might also want to read the following related articles:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: