29 April 2010

Is South Korea's Crazy Experiment Ending?

I've written a number of times about the curious experiment South Korea has been conducting: making its entire governmental and financial computing infrastructure dependent on Microsoft by requiring *all* users to install proprietary security software that is typically an ActiveX plugin (yes, one of *those*).

This is obviously insane, because it forces people to use a piece of technology that has been a major cause of security problems on the Windows platform, and it creates a monoculture, with all the weaknesses that implies.

Despite the manifest folly of this approach, changing it has been hard because of the total lock-in. But apparently change is finally coming, and for a couple of surprising reasons:

For those of you who have followed my blog, you know that it has been 3 years since I first reported on the fact that Korea does not use SSL for secure transactions over the Interent but instead a PKI mechanism that limits users to the Windows OS and Internet Explorer as a browser. Nothing fundamentally has changed but there are new pressures on the status quo that may break open South Korean for competition in the browser market in the future.

In fact, one of the new pressures on the status quo has been the popularity of the iPhone in South Korea, which wasn’t available officially until late 2009 due to a different Korean software middle-ware requirement, WIPI, which has since been deprecated. With WIPI dead and buried, Apple released the iPhone to great fanfare in the Korean market and Blackberry has also launched in the Korean market.

Another pressure on the status quo was a recent report out from 3 researchers (Hyoungshick Kim, Jun Ho Huh and Ross Anderson) from the University of Oxford’s Computing Laboratory, “On the Security of Internet Banking in South Korea.”


The popularity of the iPhone (the press claims 500,000 units sold in the few months since it was released) resurfaced the issue that only Windows and IE can be used to make secure transactions with Korean Internet services. iPhone/Blackberry/Android users in Korea (not to mention Firefox/Opera/Safari/Chrome users) cannot bank online or purchase items online or do any secure transaction with the smartphone browser because Korean services only support the PKI mechanism that only works with Active-X in IE and Windows.

This is a rather unlooked-for consequence of the arrival of smartphones in general, and of the iPhone in particular. Combined with pressure from the users of other browsers and other operating systems, we can hope that this will bring the South Korean government to its senses, and end this bizarre and unfortunate experiment in government-mandated monoculture.

Follow me @glynmoody on Twitter or identi.ca.


Anonymous said...

I think you got that wrong, they were going to go completely on open source.. Not closed.

Glyn Moody said...

Because the South Korean government specified a financial security standard based on ActiveX, it was almost impossible to use open source online.

that's slowly changing, but will take time to undo.