Wednesday, November 6, 2013

South Korea is stuck with Internet Explorer

Some additional details that the article doesn’t mention:

  1. Technically, the law doesn’t require that you use Internet Explorer. The law merely requires that you use a bunch of technologies, ranging from 128-bit encryption to government-issued client certificates to government-mandated antivirus to (craziest of all) an anti-keylogger utility. Conveniently, the spec was written with Windows & IE in mind, so it’s very difficult to write alternative implementations for other platforms.

  2. This is not a matter of being stuck with older versions of IE like many corporate intranets in the West. In fact, most banks in Korea work perfectly well in IE11 as long as you don’t try to use the Modern UI (Metro) version. Because this is not so much about IE as it is about the WIN32 environment.

  3. The proliferation of phones and tablets has motivated banks and payment gateways to write iOS and Android implementations of the spec. This was the first time anybody tried to implement the spec outside of Windows & IE. But once you have one alternative implementation, it’s much easier to port it to other platforms like Mac, Linux, and FF/Chrome on Windows. This is happening slowly.

  4. Despite the appearance of these alternative implementations, the spec itself is still very problematic. For example, the antivirus and anti-keylogger requirements cannot be met unless the programs in question have root privileges on your device. It feels insane when you browse to a bank’s home page in Linux and it tells you to download a bunch of apps and execute them as root. And of course those apps are only designed for specific versions of specific Linux distributions, so they break as soon as a new Ubuntu release comes out. No thanks! Even in Windows, the Firefox & Chrome plugins are not packaged as proper extensions, but as standalone programs that integrate loosely with the browser like Flash and Java, Because you can’t meet the spec within the confines of a browser’s sandbox.

  5. Okay so why not just run Windows in a VM? Actually that’s exactly what I do. But it’s not a perfect solution. Some of the Korean “security” apps have begun to detect when the user is in a VM, and refuse to work in a VM. There is no technical reason for this policy, they just don’t like people getting around the rules. My bank refuses to whitelist my VM as a trusted device. I’ve encountered at least one government agency that won’t offer online services to a VM. The last time I bought a bus ticket online, the e-ticket wouldn’t print because the printer port was virtualized and therefore could be used to produce duplicates or whatever.

  6. Even mobile apps, which the article mentions, are very pesky about their environment. The app for my bank won’t run on my phone because it’s rooted and therefore can’t be trusted. Fuck that shit. This affects everyone who uses CyanogenMod. (What’s even more ridiculous is that the same bank requires root on my PC.)

  7. Therefore, porting the spec to non-IE platforms and/or writing compatibility layers is not the answer. The spec needs to be fixed, period. No website should have the right to demand the use of any software other than a standards-compliant web browser. No website should require root, or even want to know anything about the environment (virtualized or not, rooted or not) in which it is being visited, except what the browser exposes to it by default.

  8. Of course this isn’t going to happen any time soon, because removing even one of the requirements on the current spec will be seen as a decrease of security, and nobody wants to take the blame the next time 10 million people get their account information stolen. Wait a second, every Korean citizen has had his or her personal information stolen multiple times in the last several years anyway. All the banks and merchants have desensitized users to the point that anytime any website ask them to install some app and run it as Administrator, they do. All the security theater of the last 14 years has done is to decrease the security of the entire country. It has also hurt the rest of the Web. Because it’s so much more convenient to write a Windows Forms app than to write a website that works in both IE6 and IE11, lots of interactive and media-heavy websites in Korea (especially gaming and file-sharing websites) have become mere landing pages where you download the actual app. After all, the banks are doing it, so why shouldn’t everyone else do the same?

  9. One move in the right direction is that since this September, every large (over ~$3000) online transaction requires two-factor authentication. They’ve been handing out one-time password generators like candy lately. The ubiquity of mobile phones also means that you can even choose to use three-factor authentication (login + one-time password + SMS token) for certain types of transactions. Hopefully this will eliminate the justification for the anti-keylogger utility, since the passwords and SMS tokens can’t be reused anyway.

[Edit] 10. Another positive development is that the Korean government has finally begun to pay attention to accessibility on the Internet. At the moment, among Korean web developers, accessibility is an even hotter topic than standards compliance, because lack of accessibility can get you into nasty lawsuits and hefty fines. Everyone’s busy adding “alt” attributes to tags. But hopefully, in the long term, focusing on accessibility will also bring people to care about standards compliance.


I’ve lived in Korea for quite a length of time and my wife is Korean…and I concur that it’s a nightmare. No Korean financial institution will let you log into their interfaces on anything other than IE. Often the homepage would be completely broken in anything other than IE anyway. This is true for most sites, though those were easily avoidable. Banks and the like, not so much.

To perform financial transactions online in Korea, you would need a plethora of software (often one from each party you would deal with) that revolved around security certificates that were issued by the banks that would store a hard copy of the certificate locally on your computer. Often it didn’t work at all, not even getting into the security implications of the system. Bank hacking is so common in Korea, it’s really disturbing. There is absolutely no accountability where the attempts at security do exist.

Also, you need to use your Citizen Number (basically a Social Security Number) to register for ANY service in Korea, even common websites. So everything you do can be traced via that single number. For foreigners, registering for common sites is usually impossible because our alien numbers are stored wherever normal citizen numbers are, so unless the site has a separate process for foreigners, you’d be out of luck. It’s quite a mess. I can’t say enough bad things.

On the bright side, start ups like Vingle in Seoul are doing a lot of tip the scales for the younger generation by only supporting modern browser versions (IE8+, not the most modern, but definitely a step up from IE6, which has a huge market share still, too), but it’s a slow change.


Also, you need to use your Citizen Number (basically a Social Security Number) to register for ANY service in Korea, even common websites.

Since 2011, websites cannot ask or store resident registration numbers (that’s the official name) for non-financial purposes. Sadly, it happened after a major incident which exposed RRNs of more than 70% of Koreans. [1] It is a common estimate that every Korean person have his/her RRN hacked at least twice due to frequent incidents.

The Korean government endorses i-PIN nowadays, which is basically… uh… redundant aliases to the unique RRN. This is obviously stupid, you can hack i-PIN instead of RRN and you have the same credential. Well, at least i-PIN is random. (RRN had very low entropy, and even shallow information about the target may limit possible RRNs to only hundreds.)

[1]… for the 2011 incident.

comments from:

originL article:

from Lizard’s Ghost


South Korea is stuck with Internet Explorer

No comments:

Post a Comment