They’re getting slightly old now but Gen Kanai wrote a couple of blog posts when Mozilla were first pushing Firefox in South Korea which are worth a read if you’re interested more in how the situation arose.
This is Gen Kanai, (that's my blog you're reading.)
I recently had a chance to speak with some of our Korean community members and the sad reality is that Ahn Lab was/is part of the problem (they sell plugins to Korean companies who need them, which is unfortunate for a security company).
Ahn seems to be a savvy politician. He's campaigning on whatever works. I am told that he does not really care about the browser monopoly in Korea (which makes sense, sadly.)
How else should they've done it? Remember this is a time when mainstream browsers are only shipping 56-bit crypto because of US export regulations. They needed a standard and a standard implementation (because having generalist developers, even good ones, implementing crypto is a recipe for disaster). Netscape didn't have extensions (only plugins); activex was likely the only extension API that offered the right hooks for implementing something like this.
They should have made policy to require a certain level of security and fund efforts to implement such a system/standard. The policy would have been valid even after other systems (or newer, exportable browsers) appeared that offered similar or better security.
Companies want protection. Companies want to demonstrate that they are not negligent. Companies want clear rules that state "doing it THIS way is good and safe and in the event that it all goes wrong will leave you blameless because you totally followed the rules". The big rulemaker in any society is government. You could have worked this out on your own.
It seems that the standard behind that was first published in 1998 (http://en.wikipedia.org/wiki/SEED) whereas crypto export restrictions were lifted only 2000.
Before the export restrictions, browsers outside the US were restricted to 40-bit RC4 (which could be hacked in a matter of days) instead of 128-bit version that was available within the US. So I think it is fair to say that it was not just some busybody wanting everyone to use his/her crypto standard.
Thanks. This article also explains why South Korea didn't just mandate 128-bit crypto, but SEED specifically. (They hoped it would become the standard, so they could collect royalties.)
Is there any Korean here that can give a perspective on how the Korean open source community has adapted to the proprietary SEED cipher? Has there ever been attempt to implement it in openssl, gnutls, etc, so as to not depend on this ActiveX plugin?
The dependency on IE is also a result of Korean coders/designers relying on the quirks and bugs and specificities of IE6 for their websites. Even when it comes to non-e-commerce sites, many (most?) sites won't function properly if you don't use IE.
This is the end result of the encryption-thing, so getting rid of that would be a proper step forward, but wouldn't solve the problem itself. By now IE it's systemic :[
Supporting SEED alone in Webkit or Gecko won't work because neither will implement Active-X support, especially because Microsoft itself is deprecating Active-X in future versions of Windows.
Laws like this should use wording like the Frye Standard for expert testimony, which says that scientific principles must be 'generally accepted' by the scientific community to be admissible in court.
Likewise, a law mandating cryptography should say that banks, and other organizations that deal in sensitive data, must use cryptography algorithms and practices that are 'generally accepted' by cryptographers as being secure.
The title is probably a bit sensationalist, given that the aim is not getting rid of IE but getting rid of the dependence on an IE plugin due to non-standard crypto.
Several banks in Korea currently provide Firefox and Chrome plugins that implement one or another legally mandated crypto algorithm. Some of them even work on Linux. Thanks to Apple and Samsung, there have been a lot of demand for mobile e-commerce apps, and once you've ported your Windows crypto software to iOS and Android, it's not too difficult to port them again to OSX and Linux. As of 2012, the cross-platform online banking situation in Korea is not as bad as the article makes you believe, provided that you do business with a sensible bank.
But the cipher is only one part of a very complicated situation. E-commerce in Korea is still very much crippled in non-Windows platforms, because:
1. In Korea, the standard way for individuals to authorize an online transaction is to sign it with an RSA key that is associated with an X.509 certificate that is issued by one of a handful of official bodies. (Korea was actually quite forward-looking when they made these rules. This was in the late 90s!) There are also detailed regulations about where in your Windows filesystem your keys can be stored. So there needs to be a graphical interface that displays all keys found in your filesystem, accepts a passphrase, produces a signed transaction in a certain format, and feeds it back to the web page you're on. That's a lot of work for a browser plugin to do, especially when you want to make it platform-independent. And we all know that the UI for client certificates is terribly broken in most browsers.
2. In addition, the client must be running a firewall software that meets certain requirements (Windows Defender doesn't qualify), as well as some sort of anti-keylogging software for the duration of the transaction processing (Big Bro looking after your own safety, how grateful). These rules were made because some lawmakers got scared by keyloggers or something. Not sure how effective they are, but most banks and online merchants supply these software as ActiveX controls. The thing is, you need administrator privileges in order to run firewalls and keyboard drivers. Even in Windows, online banking doesn't work unless you're using an admin account. I'm not sure whether this would be even possible with standard browser plugins on OSX and Linux. AFAIK, the consensus among Korean open-source developers seems to be that both requirements are completely pointless and therefore not worth trying to meet.
As a result of these and other complications, most banks restrict non-Windows, non-IE clients to relatively harmless tasks like viewing your balance. If you want to engage in risky kinds of banking, like paying bills and sending money to other people, you must augment your supposedly inferior security with additional (again, legally mandated) protections, such as a one-time password generator. I actually think that this is headed in the right direction -- OTPs offer fantastic security -- but the current state of affairs makes non-IE users continue to feel like second-class customers. Even with an OTP, some tasks are still off-limits to Linux users.
I visited South Korea this summer and each and every web site, including the national railroad operator, had mysterious bugs that prevented any intelligent usage. It took me a few minutes to figure out that I simply needed to use IE.
It will be a good thing for non Koreans too. I tried purchasing tickets on Asiana Airline's website recently. Landing on their home page, I was greeted with a message saying the website was optimized for Internet Explorer. Sure enough, I couldn't select my destination from the drop down menu on Chrome.
The correct thing to do would be to mandate that all "e-commerce sites" need to enforce a "reasonable level of security", where the quoted items are defined by some professional body.
As a matter of fact, in Korea, every e-commerce site is required by law to use TLS. Even if you don't sell anything online, you must use TLS if you're for-profit and you have any sort of login system. It's been the law since last August. CAs have been making a lot of money lately.
That's interesting. As an American programmer, it seems obvious to me that merchants and credit card providers would find it in their interests to prevent fraud and credit card theft. Do you have any insight in to why Koreans feel differently about that? Is there something different about the legal system that makes civil liability for unauthorized card use an insufficient motivation to use reasonable security measures?
My first guess is that the ubiquity of ActiveX-based payment processing software makes TLS somewhat redundant. In Korea, nobody enters their card number into a web page, they always enter it into an ActiveX pop-up window. So the merchants might think: Why encrypt the whole page when all the money-related info will be sent through an encrypted side channel anyway? (Of course, the ActiveX control is being delivered through an insecure channel in the first place, but try explaining that to the average CEO.)
The potential liability for not encrypting usernames and passwords is probably negligible compared to the liability for not encrypting payment details. So in the absence of government regulation, there's not enough financial incentive for merchants to encrypt non-money-related stuff.
Certainly hope so! This issue needs to be rectified regardless who becomes the president: If either of the two liberal ones (Ahn or Moon) wins we have hope. But if the conservative party (Park) wins the election I wouldn't expect the change.
The unusual IE dependency is now hurting the Korean internet industry, as both the established brands and the startups in Korea develop for IE, their services end up failing to go beyond the Korean market. Hard to globalize your offering when you have to start satisfying a peculiar domestic market, and when you grew up using ActiveX and IE most of your life.
https://blog.mozilla.org/gen/2007/02/27/the-cost-of-monocult...
https://blog.mozilla.org/gen/2007/09/21/update-on-the-cost-o...