Problematic SSL Web Certificate on the Official Website of the Bank of Israel
Any website operator that wants to secure the site or some of it’s pages with SSL must obtain a valid certificate from a trusted third party CA. Without a valid SSL certificate any user who will try to surf to that site will receive a warning telling them that the certificate should not be trusted for validity.
When you try to surf to the official website for the Bank of Israel (Bank Israel) http://www.bankisrael.gov.il
you will have an option to view the website in English or in Hebrew. The English version does not have SSL set up so we won’t use it here. Instead we will go to the Hebrew version:
We will click on the Information and Database icon:
Now, let’s go to the link that allows us to check the validity of other people’s ID numbers and restricted accounts:
Up to this point the surfing was done via regular un-encrypted HTTP (TCP port 80). We will now enter the ID number (Tehudat Zehut number) for the person I want to enquire about, and click Search (in Hebrew – Hapes):
A pop up Security Alert warning message will appear, telling me I’m about to enter a secure site. Good. I will now click Ok:
Hold on!!! What’s that??? Another security alert message, this time telling me that the source of the certificate protecting the site (need I remind you? The official website for the Bank of the state of Israel…) is coming from an untrusted source!
Wait! There is more: The certificate we’re about to use was created for a website that does not match with the name of the current website (it could be a hijacked website for example)!!!
I will try to view the certificate:
Going through the property pages of the certificate I find that this is in fact a demo (and not a stolen, thank God!) certificate created by (probably) Oracle, and used by the people that have built the site.
Accepting this demo certificate will indeed take you to the next page where you’ll be able to vie the results of your enquiry, but not without further security alerts:
Conclusion: Having respected sites like the Bank of Israel use expired or invalid demo certificates, or certificates from un-trusted CAs is somewhat irresponsible in my opinion. Any hacker or malicious user with little HTML, X500 and hacking knowledge can easily divert the innocent and un-expecting users to a malicious site (by breaking into the DNS servers that are authoritive for the bankisrael.gov.il domain) where he or she can easily create a similar digital certificate. Users will then be tempted to accept the certificate although it is clearly either expired or (what’s even worse) from un-trusted CA (one that the hacker himself can easily set up by using Bank Israel-like domain names). People who will surf on to the so-called secure site will then be giving this information to the hacker, which in turn can use this information to do wrong or even steal other information.
Final note: These screenshots were taken a long time before this article was first published. On the 20th of May 2004 I was contacted by a representative of the Bank of Israel and I was first able to talk, face to face (not via e-mail) to someone who claimed responsibility for the site. That person seemed unaware of the facts described here, and was, for some reason, unable to duplicate these errors on his machine . We’ll see how things turn out. I will keep you informed.
July 2004 Update: During one of my classes I wanted to demonstrate the importance of properly configured SSL certificates and I noticed that the website has been changed and that the problematic demo certificate has been removed. It seems that at last, after at least one year of nagging, someone has taken the time to fix this stupid misconfiguration.
You might also want to read the following related articles: