Intro
I have used Qualsys HTTPS checker tool to survey Israeli banks and a few reference sites. Main points summarized in the table below.
I did no “hacking” nor “cracking” nor break-in attempts.
I am not a security specialist. I just have some basic understanding of security.
List of banks is from Banking in Israel article on Wikipedia.
Comparison points
- SSL3 – insecure, old protocol, should not be used since June 2015
- RC4 – unsupported by recent versions of major browsers since January 2016 because it’s considered to be an insecure protocol. Deprecation started in 2015.
- SHA256 certificate – as opposed to deprecated SHA1 certificate.
- TLS 1.2 – The recommended version of TLS, invented in 2008, plenty of time to implement, one would think… The most important in my opinion (and Qualsys’ too, according to ratings).
- The forward secrecy supporting protocols protects your current sessions, which are probably recorded by NSA and others, from being decrypted later, when the server is compromised. A site gets “yes” if there are some protocols one could use to connect to the site that support the forward secrecy feature.
- Qualsys overall rating
Note that presence of SSL3 or RC4 is not a problem for up-to-date browsers as they just will not use it. It enables insecure connections for older browsers (in some cases the alternative would be no connection at all).
Results
| Web Site | SSL3 (bad) | RC4 (bad) | SHA256 certificate | TLS 1.2 | Forward secrecy |
Qualsys rating |
| Hapoalim (login.bankhapoalim.co.il) | no | no | yes | no | no | C |
| Leumi (hb2.bankleumi.co.il) | no | no | yes | no | no | C |
| Discount (start.telebank.co.il) | no | no | yes | yes | no | A- |
| Mizrahi Tfahot (www.mizrahi-tefahot.co.il) | no | no | yes | yes | partial | A- |
| First International Bank of Israel (online.fibi.co.il) | no | yes | no | yes | no | C |
| Gmail (mail.google.com) | yes | yes | no | yes | yes | B |
| Yahoo mail (uk-mg42.mail.yahoo.com) | no | no | yes | yes | yes | A |
| Facebook (www.facebook.com) | no | yes | yes | yes | yes | B |
| Bank of America (secure.bankofamerica.com) | no | no | yes | yes | no | A- |
Opinion / Rant
Banks that do not support TLS 1.2 should close the web site, heads of security along with their bosses should do Seppuku and the banks should be closed. Do you think that banking information security is less important than emails or Facebook? Maybe it’s “duopoly of Hapoalim and Leumi” manifestation?
Banks that do not support forward secrecy – it’s about damn time!
When one of my clients asked me to improve HTTPS security (when it became important), it went from C to A in about half a day of work for several Nginx and ELB endpoints. Yes, a bank has more complex security and more variety in types of clients but it also has a security team, not one part-time operations guy. The security situation is outrageous.
Ilya's blog 
Considering it took Leumi forever to support browsers other than IE, I’m not surprised at all.
LikeLike
Considering Hapoalim stopped using RC4 in December 2015, just before the site would stop working in January (because of dropped support in browsers), I’m not surprised either 🙂
LikeLike
Yep. At least the Leumi site is mostly usable. It wasn’t always…
LikeLike
[…] Reprinted with permission from Ilya’s personal blog. […]
LikeLike