

Internet Explorer becomes Korean election issue - Cbasedlifeform
http://www.theregister.co.uk/2012/11/14/ahn_lab_internet_explorer_seed_replace_korea/

======
robin_reala
They’re getting slightly old now but Gen Kanai wrote a couple of blog posts
when Mozilla were first pushing Firefox in South Korea which are worth a read
if you’re interested more in how the situation arose.

[https://blog.mozilla.org/gen/2007/02/27/the-cost-of-
monocult...](https://blog.mozilla.org/gen/2007/02/27/the-cost-of-monoculture/)

[https://blog.mozilla.org/gen/2007/09/21/update-on-the-
cost-o...](https://blog.mozilla.org/gen/2007/09/21/update-on-the-cost-of-
monoculture-in-korea/)

~~~
robin_reala
Gen just posted a 2012 update to the above blog posts:

[https://blog.mozilla.org/gen/2012/11/15/2012-update-to-
the-2...](https://blog.mozilla.org/gen/2012/11/15/2012-update-to-
the-2007-cost-of-monoculture-in-korea/)

~~~
gkanai
This is Gen Kanai, (that's my blog you're reading.)

I recently had a chance to speak with some of our Korean community members and
the sad reality is that Ahn Lab was/is part of the problem (they sell plugins
to Korean companies who need them, which is unfortunate for a security
company).

Ahn seems to be a savvy politician. He's campaigning on whatever works. I am
told that he does not really care about the browser monopoly in Korea (which
makes sense, sadly.)

------
jordanthoms
Wow. That's some horrible lawmaking right there. Massive costs to everybody
just because some busybody wanted everyone to use his/her crypto standard.

~~~
lmm
How else should they've done it? Remember this is a time when mainstream
browsers are only shipping 56-bit crypto because of US export regulations.
They needed a standard and a standard implementation (because having
generalist developers, even good ones, implementing crypto is a recipe for
disaster). Netscape didn't have extensions (only plugins); activex was likely
the only extension API that offered the right hooks for implementing something
like this.

~~~
jordanthoms
Why should the Government legislate what crypto you use?

~~~
seabee
Funnily enough that's precisely why another government legislated what crypto
their citizens should use.

------
Tsagadai
A link to their source: [http://blogs.wsj.com/korearealtime/2012/11/13/ahn-
pledges-to...](http://blogs.wsj.com/korearealtime/2012/11/13/ahn-pledges-to-
end-outdated-encryption-standard/)

~~~
gpvos
Thanks. This article also explains why South Korea didn't just mandate 128-bit
crypto, but SEED specifically. (They hoped it would become the standard, so
they could collect royalties.)

------
mrb
Is there any Korean here that can give a perspective on how the Korean open
source community has adapted to the proprietary SEED cipher? Has there ever
been attempt to implement it in openssl, gnutls, etc, so as to not depend on
this ActiveX plugin?

~~~
qxcv
> Has there ever been attempt to implement it in openssl, gnutls, etc, so as
> to not depend on this ActiveX plugin?

SEED is implemented in NSS (Firefox's network security backend)[0] as of 2010.
I'm not sure whether or not that removes the dependency on IE, though.

Edit: looks like it's implemented in OpenSSL as well[1].

[0]: <https://bugzil.la/453234> [1]:
[https://www.openssl.org/docs/apps/ciphers.html#SEED_ciphersu...](https://www.openssl.org/docs/apps/ciphers.html#SEED_ciphersuites_from_RFC4162_)

~~~
mcpie
The dependency on IE is also a result of Korean coders/designers relying on
the quirks and bugs and specificities of IE6 for their websites. Even when it
comes to non-e-commerce sites, many (most?) sites won't function properly if
you don't use IE.

This is the end result of the encryption-thing, so getting rid of that would
be a proper step forward, but wouldn't solve the problem itself. By now IE
it's systemic :[

------
yen223
It is said that governments should legislate for results, not actions. This is
a very clear example why.

~~~
a-priori
Laws like this should use wording like the Frye Standard for expert testimony,
which says that scientific principles must be 'generally accepted' by the
scientific community to be admissible in court.

Likewise, a law mandating cryptography should say that banks, and other
organizations that deal in sensitive data, must use cryptography algorithms
and practices that are 'generally accepted' by cryptographers as being secure.

<http://en.wikipedia.org/wiki/Frye_standard>

------
ygra
The title is probably a bit sensationalist, given that the aim is not getting
rid of IE but getting rid of the dependence on an IE plugin due to non-
standard crypto.

------
kijin
Several banks in Korea currently provide Firefox and Chrome plugins that
implement one or another legally mandated crypto algorithm. Some of them even
work on Linux. Thanks to Apple and Samsung, there have been a lot of demand
for mobile e-commerce apps, and once you've ported your Windows crypto
software to iOS and Android, it's not too difficult to port them again to OSX
and Linux. As of 2012, the cross-platform online banking situation in Korea is
not as bad as the article makes you believe, provided that you do business
with a sensible bank.

But the cipher is only one part of a very complicated situation. E-commerce in
Korea is still very much crippled in non-Windows platforms, because:

1\. In Korea, the standard way for individuals to authorize an online
transaction is to sign it with an RSA key that is associated with an X.509
certificate that is issued by one of a handful of official bodies. (Korea was
actually quite forward-looking when they made these rules. This was in the
late 90s!) There are also detailed regulations about where in your Windows
filesystem your keys can be stored. So there needs to be a graphical interface
that displays all keys found in your filesystem, accepts a passphrase,
produces a signed transaction in a certain format, and feeds it back to the
web page you're on. That's a lot of work for a browser plugin to do,
especially when you want to make it platform-independent. And we all know that
the UI for client certificates is terribly broken in most browsers.

2\. In addition, the client must be running a firewall software that meets
certain requirements (Windows Defender doesn't qualify), as well as some sort
of anti-keylogging software for the duration of the transaction processing
(Big Bro looking after your own safety, how grateful). These rules were made
because some lawmakers got scared by keyloggers or something. Not sure how
effective they are, but most banks and online merchants supply these software
as ActiveX controls. The thing is, you need _administrator privileges_ in
order to run firewalls and keyboard drivers. Even in Windows, online banking
doesn't work unless you're using an admin account. I'm not sure whether this
would be even possible with standard browser plugins on OSX and Linux. AFAIK,
the consensus among Korean open-source developers seems to be that both
requirements are completely pointless and therefore not worth trying to meet.

As a result of these and other complications, most banks restrict non-Windows,
non-IE clients to relatively harmless tasks like viewing your balance. If you
want to engage in risky kinds of banking, like paying bills and sending money
to other people, you must augment your supposedly inferior security with
additional (again, legally mandated) protections, such as a one-time password
generator. I actually think that this is headed in the right direction -- OTPs
offer fantastic security -- but the current state of affairs makes non-IE
users continue to feel like second-class customers. Even with an OTP, some
tasks are still off-limits to Linux users.

------
pgsandstrom
I visited South Korea this summer and each and every web site, including the
national railroad operator, had mysterious bugs that prevented any intelligent
usage. It took me a few minutes to figure out that I simply needed to use IE.

------
dskhatri
It will be a good thing for non Koreans too. I tried purchasing tickets on
Asiana Airline's website recently. Landing on their home page, I was greeted
with a message saying the website was optimized for Internet Explorer. Sure
enough, I couldn't select my destination from the drop down menu on Chrome.

------
allerratio
Why not implement the crypto standard in Firefox/Chrome?

~~~
saraid216
Because they didn't exist yet?

~~~
ibotty
i guess (s)he meant: why not implement that standard in firefox now. that
would remove the lock-in to ie as well.

(it might not be possible because of patents, etc. but the government should
-of course- be able to fund it.)

~~~
raverbashing
Or create a shin/adaptor, or even reverse engineer the darn thing and put it
inside a Firefox plugin

Or the alternative is better, wait until someone finds a flaw in this
'standard' (shouldn't be too hard) and have fun with it.

------
jayfuerstenberg
We're rooting for you Korea! Don't let us down.

~~~
keywonc
Certainly hope so! This issue needs to be rectified regardless who becomes the
president: If either of the two liberal ones (Ahn or Moon) wins we have hope.
But if the conservative party (Park) wins the election I wouldn't expect the
change.

The unusual IE dependency is now hurting the Korean internet industry, as both
the established brands and the startups in Korea develop for IE, their
services end up failing to go beyond the Korean market. Hard to globalize your
offering when you have to start satisfying a peculiar domestic market, and
when you grew up using ActiveX and IE most of your life.

