Korea Post Office Supports XPCOM Based E-Banking

Channy writes "Mozillazine is reporting that the Korean Post Office has decided to support Mozilla Firefox for internet banking and has started the developement project of an XPCOM based internet banking system. From the article: 'In past there were no web browsers for 128 bit encryption except Opera 3.5 for international users when Korea started internet banking services in 1998.'"

Now

[42Penguins]

All they need to do is DROP support for IE.
Also quite the undertaking switching 4700 from windows to linux.
Yay for Korea and Korean memes!

Re:Now

[daviqh]

We could also have some more support in Mozilla Browser, and I hope they start support for that too.

Re:Now

[daviqh]

"Also quite the undertaking switching 4700 from windows to linux."

<snicker> Perhaps we should also drop support for IE in Windows... </snicker>

Re:Now

[strcmp]

Why should they drop support for IE? It's still the most widely used browser, despite its many flaws.

This is no worse than saying that they should drop support for Safari because it's so sparsely used.

Re:Now

[daviqh]

The point is that anyone relitively smart will know that it has tons of flaws, and wishes someone takes an act against it.

Re:Now

[mrchaotica]

No, they should drop support for IE because it's unsafe to use.

Re:Now

[strcmp]

Unsafe for the client, but not the server... as far as I know. People should be aware that they browse "at their own risks" and do have a choice as to which browser to use. If some people want to use IE, well, they were warned.

A better solution, of course, is to have a banking system that is not dependent on the underlying browser architecture.

Re:Now

[Tolookah]

yes, but for a moment, consider the average person...

now, 50% of the population is dumber than that...

Re:Now

[killjoe]

The average person will eat whatever you shove down their throat. MS knows that, Politicians know that, why don't you know it?

Re:Now

[Trejkaz]

I might not have been too hard to get people to switch because in Korea, only old people run Windows.

Re:Now

[Douglas+Simmons]

Thank you, George Carlin

Re:Now

[QuietLagoon]

Why should they drop support for IE?

Because it is standards-challenged?

Re:Now

[bit+trollent]

Compete on features, not on dirty tricks.

Aww screw it, who are we kidding. You morons would tell someone to ban IE from their website even if it would run them out of business.

Why?

Because you are a bunch of self rightous pricks. Thats it. You get on your high horse and you pontificate on matters which you don't really understand or have any business attempting to infuluence.

But what the hell. This is slashdot. Thrust your hypocritcal ideologies on the shitheap. It doesn't matter. Nobody takes you seriously.

Re:Now

[bit+trollent]

No, you need to drop your self-rightous worthless opinons. Who do you think you are? Compete on features, not on dirty tricks. Aww screw it, who are we kidding. You morons would tell someone to ban IE from their website even if it would run them out of business. Why? Because you are a bunch of self rightous pricks. Thats it. You get on your high horse and you pontificate on matters which you don't really understand or have any business attempting to infuluence. But what the hell. This is slashdot. Thrust your hypocritcal ideologies on the shitheap. It doesn't matter. Nobody takes you seriously.

Re:Now

Neither is Firefox. Whats your point?

Re:Now

[McGiraf]

Hi! having a nice day?

Re:Now

[a.d.trick]

While I'm not is support for such a non-standard implementation unless it's absolutely nessisary, there is a big difference between being firefox only and safari. Firefox is cross-platform, it works on mac, linux, and most importantly windows. It's a lot easier for people to do a free 5mb download than get a whole new computer.

Re:Now

[Louis+Guerin]

Never gonna happen. Korea is a windows monoculture.

Not that it's unique in that respect.

L

Re:Now

[mrchaotica]

Having a cross-browser system is important, yes, but if I were a bank I would seriously consider (artificially) locking out IE, in order to reduce the risk of fraud for my customers.

Re:Now

[iluvcapra]

FTA: After browser war, it was useless the NSplugin for internet banking, so most of bank support only Active-x plugin. So some Mac and Linux users are troubled on using internet banking.

Though they were troubled, they were likely not as troubled as the "Active-x" users.

Re:Now

[Archibald+Buttle]

It'll be a cold day in hell when a Korean institution drops support for IE. There's basically nothing but Windows in Korea - mostly Win98 at that.

Very few web sites in Korea work correctly on anything besides IE - you're SOL if you want to access your bank in Korea from a Mac, Linux, or using Firefox.

Re:Now

[Daengbo]

Agreed. I was sriously disappointed when I moved to S.K. from Thailand. I haven't yet seen an Linux computer in the country, despite regularly visiting places like tech malls.
The company that makes Hangeul Office (which appears to have better market share than MS Office here) produce a version of linux in order to offer their office suite on it, but I have never heard of anyone using it except myself.
Compare this to my time in Thailand when the hypermarket down the street would sell computers with Linux on them and the newsstand had small books on it, and I feel that Linux has made no inroads into S.K. at all.
That said, Thailand appears to have ditched Linux, as well. My visit their in June showed that I couldn't find a single book published in the last year about it. I guess that the governments turnaround on its Linux policy and subsequent multi-year (no cost) agreement with MS really took its toll.

Re:Now

[pandrijeczko]

Compete on features, not on dirty tricks.

So presumably security, usability & interoperability don't get a look in then? As far as you're concerned, the more menu options & icons to click, the better then?

Re:Now

[generic-man]

Since when is XPCOM a "standard" for anyone but the Mozilla foundation?

You might as well call Firefox 'standards-challenged' because it doesn't support ActiveX*.

* BZZT WRONG THERE IS AN EXTENSION JUST DOWNLOAD AND INSTALL IT AND MAKE SURE NEVER TO UPGRADE FIREFOX WITHOUT CHECKING FOR EXTENSION COMPATIBILITY FIRST

Re:Now

[master_p]

I guess he is neither MS nor a politician.

Re:Now

Damn, you built a hell of a strawman argument there. Don't put words in other peoples mouths just so you can argue against them. It makes you look stupid and small.

Re:Now

[pandrijeczko]

Sorry, but in my book, if a piece of software is buggy as hell, then I'd rather those bugs were fixed in the next release than have yet more features.

Obl. "In Korea ..."

[weighn]

Only old people use secure internet banking.

The kiddies are swapping cvs details over Telnet.

Re:Obl. "In Korea ..."

[daviqh]

I just checked and...the winner is:

No Button...anyone persistant and speak Korean?

Great news!

[webby123]

Great news, does this mean they will be including a "get firefox" icon on their website?

Re:Great news!

[daviqh]

I just checked, and they don't have one...

pouts...

Re:Great news!

[mnemonic_]

Um, who the fuck cares?

Microsoft

[jasonBTV]

Anything that helps take market share away from Microsoft...

which korea?

[petermgreen]

is this north korea south korea or both?

Re:which korea?

[daviqh]

Maybe they both share a post office? They are based in Seoul, and their site says nothing about who they serve, but perhaps it is whatever side of Korea Seuol is on. Just my $.02

Re:which korea?

[daviqh]

One theroy suggests that perhaps under 5 minutes ago, Korean's in North and South Korea decided to "merge". Somehow in that time we didn't find out about it and the Postal offices merged and changed their name.

Re:which korea?

[damsa]

North Korea doesn't have internet nor money. My bet that this is South Korea.

Re:which korea?

is this north korea south korea or both?

Ha ha ha. Are you trying to seduce me or something?

Re:which korea?

[Geoffreyerffoeg]

You're right that it says it's in Seoul, so it would be in South Korea.

(You're completely mistaken if you think that North and South Korea would want anything to do with each other. Here's a hint: there's troops on each side of the border between them.)

Re:which korea?

[minus_273]

mod funny. haha north korea. FYI, think of how many koreans you know that call themselves south korean instead of korean and you will understand why korean is used.

Re:which korea?

[natrius]

You're completely mistaken if you think that North and South Korea would want anything to do with each other. Here's a hint: there's troops on each side of the border between them.

"It's time for us to put an end to history of dissension, and open an era of national integration. This also means laying the grounds to surmount division, and to ring in a reunified era ruled by peace and prosperity."
- South Korean President Roh Moo-hyun

Sure, there's some tension there, but I think saying that they want nothing to do with each other is a bit much. That'd be a better characterization for Pakistan and India, where some of the people actually dislike each other. I don't think the North and South Korean people actually dislike each other, but one group just happens to be ruled by a crazy dictator.

Re:which korea?

[AstroDrabb]

Huh? You are quoting _SOUTH_ Korea. There is a _huge_ difference between what South Korea wants and what North Korea wants. South Korea is basically democratic. North Korea is a dictatorship.

where some of the people actually dislike each other. I don't think the North and South Korean people actually dislike each other

I agree with you there. However, there is the HUGE problem of the North Korean dictator that is know for having pretty bad human rights violations. I doubt many South Koreans would volunteer to be a part of that.

Re:which korea?

[Louis+Guerin]

I'm really glad the parent got modded 'funny'. Must be another geographically-challeneged american.

L

Re:which korea?

[petteri_666]

At least they have a webpage http://www.korea-dpr.com/

Re:which korea?

I don't think the North and South Korean people actually dislike each other, but one group just happens to be ruled by a crazy dictator.

Ahhh, so just like Canada and the USA?

Re:which korea?

[petermgreen]

fyi i'm a brit not an american though i wouldn't say geography is my strong point.

p.s. seems i lost karma on my original post due to the combination of funny and overrated :(

Re:which korea?

[turbidostato]

"...but perhaps it is whatever side of Korea Seuol is on"

Of course it is South Korea but then, why don't they say "South Korea". Please note that as to date, there's no country known as Korea, just as there's no state within USA known as Carolina. Why don't use its proper name, then?

Re:which korea?

"...think of how many koreans you know that call themselves south korean instead of korean and you will understand why korean is used."

No, I won't.

I know there are literally millions of people that would call northamericans "those dumbasses", should we talk about Dumbassland from know on, instead of USA?

Re:which korea?

[zarr]

At least they have a webpage http://www.korea-dpr.com/

And they have javascript menus that work flawlessly in Opera. I love North Korea!

Re:which korea?

[ytm]

You quote South Koreans. North Koreans have (or at least that's what they talk loud) quite different opinion. 50 years of indoctrination means two-three generations risen and educated in North Korean madness.

Here is their news agency site:
http://www.kcna.co.jp/index-e.htm

Re:which korea?

[cortana]

Are there any countries with "democratic" in the name that are actually democratic?

Internet explorer

[cataclyst]

You know... [[insert IE bash here]]

Next week, on slashdot, Pimp-my-Anything-but-microsoft...

Re:Internet explorer

[mnemonic_]

Hey that's not a real wikipedia article. What's the deal?

Re:Internet explorer

[strcmp]

In case you did not get the joke, in Wikipedia's markup language, putting double brackets around an article title autolinks to that article (usually at http://en.wikipedia.org/wiki/Article_title).

Support for Firefox????

All you need to do is support a standard web browser (without requiring activeX crap to work), and firefox works fine.

My bank doesn't "support" firefox, but it works great.

Re:Support for Firefox????

[ScrewMaster]

Yeah. My bank only mentions Netscape and Explorer on their site, but also say that any Javascript-enabled browser with 128 bit or better security should work. A few years ago they were IE-specific, which used to irritate me ... for the one thing I do online that I really want to be secure I had to use the world's least secure browser. But they got with the times.

Re:Support for Firefox????

[daviqh]

"I really want to be secure I had to use the world's least secure browser"

Don't you just love oxymorans...

Re:Support for Firefox????

[Bloke+down+the+pub]

I like oxymorons, but that wasn't one.

SEED?

[erikharrison]

The article is a little ambiguous - this seems to be only for SEED, a Korean only strong encryption algorithm, which itself isn't native to browsers, which is why they required activex in the first place.

Re:SEED?

[Channy]

In past, there were no 128bit browser for international users. But, 40bit is very weak for financial service. So Korea chose plugin based internet banking and made own 128bit algorithm called SEED. Firstly, both NSPlugin and ActiveX were supported. After browser war, there is no market share of Netscape. So most of banks stop NSplugin. The SEED goes to world standard. http://www.ietf.org/html.charters/smime-charter.ht ml http://www.ietf.org/internet-drafts/draft-ietf-smi me-cms-seed-02.txt

Re:SEED?

[hey]

Better link: RFC4010

who cares

[Anonymous+Cowterd]

Who cares that they are creating an XPCOM piece of shit? Why dont they just make a web-based thing that would work for all browsers. And seriously, you people are such hypocrites. XPCOM doesnt work on IE, and activex doesnt work on Firefox. So that instantly makes Firefox better? Give me a break.

Re:who cares

[The+Original+Yama]

XPCOM is freely available for anyone to implement (unlike ActiveX). It is more secure than ActiveX and more functional than AJAX.

Perhaps MS should include XPCOM in IE? There's nothing stopping them, really.

Re:who cares

[suitepotato]

The "cross platform standards is superior" line is only trotted out when it is against Microsoft. Apple could create a horrific new music format with more sinister DRM than Microsoft has ever remotely dreamt of and Slashdotter would give it a thumbs up. Ubuntu could drop all support for zip, bzip, etc., in favor of a proprietary new compression format that no other distro used and it would get glowing reviews and plaudits for it.

Microsoft could propose a new format the specifications of which they intend to make freely availible at no charge and they'd be excoriated faster than you can Slashdot Effect a Packard Bell running NT 3.51.

If this doesn't work across all platforms then all it is doing is seriously disenfranchising a massive number of customers and that is no better than any of the things MS is taken to task for endlessly or any company that embraces MS technologies over those of Firefox and company.

Re:who cares

[zurab]

Hmm... Let's see:

Who cares that they are creating an XPCOM piece of shit?

Anyone in Korea that cares about cross platform compatibility of their banking and other related applications.

Why dont they just make a web-based thing that would work for all browsers.

Because as other posters and the article itself pointed out, the banking industry is already standardized on using SEED instead of SSL. Presumably changing that would be a tougher undertaking. Besides, XPCOM could work in any browser and any platform if a maker of that browser decided to support it - no Firefox or Mozilla suite are required.

And seriously, you people are such hypocrites.

OK, people out there definitely are.

XPCOM doesnt work on IE, and activex doesnt work on Firefox.

Sure, but the advantage of "Cross Platform Component Object Model" is that it works "cross platform." As I mentioned earlier, this enables any maker of any browser on almost any platform to use XPCOM. You can't say the same for ActiveX, which is an MS proprietary extension.

So that instantly makes Firefox better?

No, it makes XPCOM "better."

Re:who cares

[Anonymous+Cowterd]

"The 'cross platform standards is superior' line is only trotted out when it is against Microsoft." This is about the smartest thing that any slashdotter has ever said. I applaud you for the truthfulness of your post. Basically, the rule is "We don't care if it's good or if it even works. If it's not made by Microsoft, we like it. Otherwise, we'll flame it until the rest of the Internet sees things our way."

Re:who cares

[pandrijeczko]

Microsoft's one core function is to provide you with software that allows you to use your PC in the way you want it to - it is not there to make decisions about who you can and cannot do business with purely because its closed standards dictate that.

It's "tunnel-visioned" individuals like yourself that always turn arguments about cross-platform & open standards into "anti-Microsoft" ones - surely, the idea of an open standard is that everyone can use it???

Re:who cares

[pandrijeczko]

Ubuntu could drop all support for zip, bzip, etc., in favor of a proprietary new compression format that no other distro used and it would get glowing reviews and plaudits for it.

This statement is an oxymoron and demonstrates your lack of knowledge of open source.

The fact that any Linux distribution like Ubuntu gets used in the first place is because it has a high degree of compatibility with software that any other Linux distro uses - introducing a proprietary compression format would probably be the death of any distro because no-one would want to use it.

I suggest you need to go read about this more to become better informed - you'll then understand that a Linux distro is just about a particular way of packaging and presenting software to appeal to users of varying degrees of ability - ultimately, however, it's all comes from the same source code anyway.

Re:What's the point of the encryption?

[daviqh]

It's the thought that counts...

Not quite following...

[uits]

Because they were unable to use 128bit SSL in 1998, they are going to develop internet banking that is dependent on Mozilla XPCOM, instead of taking a cross platform standard SSL approach now?

While Mozilla is ostensibly a better platform to be locked into than Microsoft, is this really a big benefit?

Someone please translate for the layman (me)

Re:Not quite following...

[daviqh]

Mozilla is a corperation now, and not to start a conspiricy theroy, but maybe

<winkwinknudgenudge> there is some cash flow below the table.</winkwinknudgenudge>

Re:Not quite following...

[uchihalush]

or maybe there is some cash flow between you and M$ */endwinkwinknudgenudge*/

Re:Not quite following...

[Ambush+Commander]

Mozilla is not a corporation. Mozilla Corporation is a corporation, Mozilla Foundation is a non-profit organization, and the foundation is the parent.

Although they did do that with Google (prefetching, anyone?)

Re:Not quite following...

[Wizarth]

I'd say it's because they have all their SEED technology in place, and don't want to replace that. Especially since it currently works. Producing a XPCOM based plug-in for Mozilla based browsers lets them connect to SEED encrypted connections, without replacing infrastructure.

Re:Not quite following...

[ihavnoid]

First, I'm a Korean citizen who uses on-line banking every day.

Just as the article mentions, 128-bit SSL wasn't an option when the internet-based banking started on 1998, so Korea had to develop their own standards. Since there are more than 10 million SEED-based certificates issued on this country, changing the whole infrastructure into SSL would be crazy.

Yes, certficates are issued to everybody who needs an on-line banking account, since itself is used as an authentication method. To get a certificate, you have to visit any bank that you have an account, ask them for on-line banking, and they will give you a one-time password for issuing your certificate (valid for one week).

Everything else is handled on-line. Since the authentication system is a national standard, it works with any bank, any credit card company, and I remember it also works on the stock market. You don't need any offline registration to use it on another bank.

The certificate is password-protected, just like any other certificate. I believe the certificate is node-locked. If you want to export/import the key, you need the password associated with the key.

I'm not sure how many of these kind of features are supported by SSL, but even if IE/Firefox/Opera's SSL has more features, I don't think it's a good idea to replace a system that works well. Yes, I hate ActiveX, but I don't want to see 10+ million Korean citizens visit the bank for re-issuing their certificate.

Re:Not quite following...

[stoev]

Are there any free open source implementations of SEED? I think a change to SSL should be discussed. I am also in Korea (I work here). In 10 minutes I will extend my SEED key online, which expires soon. I will not go to my bank (which is 50 meters from me). The same method can be used to change all the keys to SSL. No need to visit the bank office.

My personal opinion is, that the existing e-banking system in Korea is substandard. ActiveX requires admin on XP to install and most banks install 2-3 other activeX. This has to stop. Somebody has to educate these guys how to do e-banking.

Re:Not quite following...

[Rits]

It is a real pity they didn't go with Opera at that time... Obviously, it was an option.

Re:Not quite following...

[WARM3CH]

Why every 10+million Korean citizen need a personal certificate to use ebanking in the first place?? There are far simpler and as secure (or even better) methods for e-banking. Example? Look at the methods some Swiss banks like UBS use. The web interface is a simple SSL secured page. Each e-banking user receives a smart-card and a smart-card reader (the size and shape of a small pocket calculator). Now, user should set a password for the smart-card the first time he/she receives it and the hash key will be stored inside the smart-card itself so even the bank do not know the user's passwords. To access the account, the web page gives you an 8 digits random number and you should enter it in your smart-card reader and answer back with a 6 character generated hash code. Simple, right? The advantage? Even if somebody stoles the smart card, without your password he can't use it and the password is never sent over the net and the web interface generates random codes each time you connect to it so a previously used hash code can not be used again. The password to the card itself is not even inside the smart card (there is only the salt value there, if you can ever read the salt...). Now with this system, one can access his banking info securely with his PC, laptop, PDA, mobile phone with secure WAP and so on. No need to tell the user what web browser to use!

Re:What's the point of the encryption?

[korea]

Replace "Koreans" with any other modern country, and see if the same statement doesn't fit. Also, keylogging isn't a Windows-only problem.

Despite spikes in complexity, the amount of time it takes to decrypt even the newest encryption methods is relatively trivial, so what's the point of encryption for anyone on the planet?

The Earthlings are mostly made of carbon, so they would burn pretty quickly -- or they will once the sun starts to fizzle out and completely engulf the Earth... so what's the point to being alive?

Re:What's the point of the encryption?

The Koreans are mostly living in cities, so they are probably loaded down with thugs -- or they will be, once it pays to load them down with thugs who beat people up for their passwords.

What's the point of the keyloggers? They still lose.

Is there a STANDALONE xpcom release?

[mi]

Xpcom should, really, be available in a standalone tarball, so that it can be built, tested and deployed independently. Does anyone know, whether such a thing exists somewhere?

Mozilla is quite infamous for bundling everything (and the kitchen sink) into one. Only OpenOffice is worse...

Re:Is there a STANDALONE xpcom release?

[strcmp]

http://www.mozilla.org/projects/xpcom/xpcom-standa lone.html

Re:Is there a STANDALONE xpcom release?

[pe1chl]

IMHO this was a strong point in Mozilla that is now weakened by Firefox, Thunderbird etc.

Especially in the way these programs are packaged now, you cannot upgrade them (and Gecko) independently. Configuration management in a business network has also been made even more complicated.

I like integrated software. Users often like it, too. Especially in the field of open source and non-M$ software, as integration between different programs is often a lot weaker than integration within such a large package.

Re:Is there a STANDALONE xpcom release?

[mi]

Thank you! However, according to the page, it was last updated in 2000 and:

xpcom standalone differs from the xpcom built with mozilla. Hence cannot be used with the mozilla browser.

I'd like to be able to build and test a modern xpcom independently, so that various mozilla-based browsers and e-mail programs can be built using it instead of each using its own with its own unique set of bugs...

Finally, there is no release of XPCOM standalone -- nothing on the FTP site and the download instructions on the page advise on how to use CVS to get it...

Re:What's the point of the encryption?

[WindBourne]

Also, keylogging isn't a Windows-only problem.

Hummmmmm. And what none MS keylogger is there? In fact, what none MS virus/worm is there that is causing any real issue? Not just logged, but actually causing a problem?

the amount of time it takes to decrypt even the newest encryption methods is relatively trivial, so what's the point of encryption for anyone on the planet?

Really? So what solution do you have that allows for 2048 bit key RSA to be solved in this year? In fact, lets make it 128 bit.

Mod parent up!

[SanityInAnarchy]

He's an asshole, but he's right this time. Why not use AJAX? Not just to support IE, but to avoid installing software on the local machine...

Re:What's the point of the encryption?

Surely you jest. Ever heard of rootkits, buffer overflow exploits and the like?

I work IT department at a major university. Our servers are probed relentlessly. If we don't stay up on the patches, we will get 0wn3d rather quickly.

I can't tell you how many times some boneheaded student who thinks he is the alpha geek comes to school with his Gentoo or Fedora box, plugs it into his dorm room's ethernet jack, and then proceeds to get owned becuase he doesn't know jack about securing his box. Within a rather short period of time, these boxes are relaying spam (we block outgoing port 25 now) or have become a zombie host for some script kiddie's botnet on IRC.

Windows is definitely a problem too, I certianly don't want to gloss over that, but you said non-MS doesn't get viruses.

Here I was, all excited...

... that South Korea was going to be calling X-COM for something, but nooo...

Re:What's the point of the encryption?

A 128 bit RSA public key can be trivially reversed. Perhaps you mean an RC4 or AES block cipher?

This explains it nicely

http://www.mozilla.org/why/framework.html

Re:What's the point of the encryption?

[korea]

I prefer none without the e, thank you. Both of your statements were addressed in replies to you by Anonymous Cowards. I hope that answers your question.

MOD PARENT UP

[Douglas+Simmons]

It's a good question.

Re:What's the point of the encryption?

No, I don't jest. The amount of issues that arises with VIRUSES and Keystroke Loggers on none-MS are NIL. As to worms/Rootkits/Buffer Overflows, yes, they do occur. The question is how much a problem is it? Very minor. As to the number of zombies, I used to work on a system that monitored OC-48s. We had several systems installed in several RBOCS (letting them see what traffic was going through, as well as selling to several agencies). One of the trivial things that we did was to pull stats for these. They showed that nearly all of the zombies that were sending were Windows boxes (better than 99.7%, which is interesting in that Windows accounted for less than 83% of all traffic). One of the things that our box did was to ID what type of system the packet was from.

For all intense purpose, all your spam, virus, and worms are coming from Windows boxes.

Have to say it

Obligatory cheers to Opera 3.5, the first browser to support 128-bit SSL

Post office

[DavidBartlett]

In case you were wondering, most bills are paid at the post office in Korea.

Mod parent up too!

[Jessta]

They aren't supporting firefox, they are just not supporting other browsers. I will be terrible to see when everyone becomes locked in to firefox. Free software is about freedom and compatibility. This will be neither.

Sims OO

"Mozilla is quite infamous for bundling everything (and the kitchen sink) into one. Only OpenOffice is worse..."

I believe OO has a dinette and washer/cryer set in theirs.

Re:What's the point of the encryption?

[CharAznable]

"the amount of time it takes to decrypt even the newest encryption methods is relatively trivial"

Uh, no.

128 bit encryption in AJAX?! Mod parents way down.

[SimHacker]

You have completely missed the point, which is to use 128 bit encryption over the wire, because the encryption built into the browser is not strong enough.

Are you proposing implementing the encryption on the server side, and sending passwords over the net unencrypted?

Or are you suggesting they implement the 128 bit encryption algorithm in JavaScript?

-Don

I can see it now!

[Agarax]

Oh yeah, I can see you at the board meeting now:

You: "Well, sir. I think we should block out Internet Explorer users because their browser is unsafe."

Boss: "Is it unsafe for us or them?"

You: "Them. It would'nt really effect us. They are just more likely to become victims of identity theft through a virus."

Boss: "Can they also get the same virus through an email attachment? Or by someone digging through their trash?"

You: "... yes."

Boss: "How many of our customers use IE?"

You: "About 80%"

Boss: "And what is there to prevent them from moving to another bank that DOES support their browser?"

You: "Well, that would be a lot of trouble for them to go through. It's easier to just download a safe browser."

Boss: "And what would we do about the advertisements our competitors would air stating that we don't properly support internet banking because we dropped support for IE? Getting new customers might become difficult."

You: "Well ... we tell them that it is foolish of them to use Windows and Internet Explorer and that they should switch to something else."

(Long Pause)

Boss: "While we are at it, why don't we refuse entry to SUVs in the drive-thru ATM because the customer is more likely to scratch his paint and he is wasting the gas he paid for? You should stick to IT, you don't know jack about how a business works. "

Re:I can see it now!

[Hurricane78]

To me this looks a bit like that suppressing kind of arguing where moral is irrelevant and profit is everything, that lets every human with some sense of indebtedness feel some pain inside.

It's that feeling of: "this just isn't right!" even if it's "correct and makes sense"

To me poeple who decide in that style even are near to criminal in cases of legitimity and fairness.

Yes, maybe I'm just a lone idealist in a dog-eat-dog society. But I'm proud of it an if I die poor (in cases of money) because of this, at least I die happy (in most other cases) and with a clear conscience.

(Did I mention that i would bet that i could bring up unbeatable arguments arguments to everyone, that business in it's base is one of the two main supports of pure evil in this world? [dumbness is the other one an ist mostly required as the culture medium for it])

Re:I can see it now!

[mrchaotica]

Boss: "Is it unsafe for us or them?"

You: "Them. It would'nt really effect us. They are just more likely to become victims of identity theft through a virus."

That's incorrect. In case you haven't noticed, most banks advertize that they'll bail their customers out when they get defrauded. So it does effect the bank, because they have to raise interest rates to cover their losses from fraud.

Boss: "And what would we do about the advertisements our competitors would air stating that we don't properly support internet banking because we dropped support for IE? Getting new customers might become difficult."

We tell them that, (apparently) unlike other banks, we care about their financial well-being, and try to do everything possible to ensure a safe electronic banking experience.

Re:I can see it now!

[Bloke+down+the+pub]

because they have to raise interest rates to cover their losses from fraud.

Er ... bullshit.

Re:What's the point of the encryption?

[WindBourne]

hummmm. Actually, I was thinking of AES. Brain fart, I guess. Thanx.

Misinformation about ActiveX/DCOM

[SimHacker]

Thanks for trying out, but you can't be a cheerleader if you don't do your homework.

The ActiveX Specification is freely available for anyone to implement. In case you didn't know, XPCOM is just an open source knock-off of ActiveX, with enough gratuitious changes to make them incompatible in practice. But essentially, they're the same thing.

XPCOM is no more secure than ActiveX. They both have total access to your computer. It's irresponsible of you to spread the misinformation that XPCOM is more secure than ActiveX, when it's not. It doesn't help anyone to have a false sense of security based on well meaning hype and uninformed cheerleading.

You're right that both ActiveX and XPCOM are more functional than AJAX (for some definition of the word "functional" -- in the sense that it has more client side functionality).

Perhaps Firefox should include support for ActiveX? There's nothing stopping them, really. So then it wouldn't have been necessary for to write a special XPCOM control, since they could have used their original ActiveX control.

Oh yeah, I forgot, it's more important for Firefox to make a rhetorical point by excluding ActiveX support, than to serve the needs of its users. That's called cutting off your nose to spite your face.

-Don

Re:Misinformation about ActiveX/DCOM

[serialdogma]

ActiveX makes use of thw windows API to do everything, firefox is only writen in XML with gecko making it all work.
Gecko is ment to run on non-windows system aswel as on windows, making use of the windows api in linux is about as good as using POSIX on windows.
To add activeX to gecko's windows codebase would just spilt the userbase.

Re:Misinformation about ActiveX/DCOM

[SimHacker]

You're wrong, and you've completely missed the point of ActiveX and XPCOM.

They are both systems for defining interfaces that hide the way you implement services. ActiveX says nothing about which API you use to implement the interfaces with. The whole point of ActiveX and XPCOM is to separate interface from implementation.

ActiveX runs on MacOS, OS/X, Linux, Unix, without any Win32 api dependencies, and on Windows, where you can develop ActiveX controls with or without Win32 and MFC dependenceis.

I don't understand your argument about "making use of the windows api in linux is about as good as using POSIX on windows". Haven't you ever heard of cygwin? That's pretty good, and I use it all the time.

I also don't understand your argument about "To add activeX to gecko's windows codebase would just spilt the userbase".

You sound like those Loki appologists who argue that Wine is evil because it discourages people from developing games for Linux. If it solves some people's problems, then what's your beef with it?

-Don

Re:Misinformation about ActiveX/DCOM

Uh, right. Where are the ActiveX implementations on non-Windows platforms, exactly?

Re:Misinformation about ActiveX/DCOM

[SimHacker]

Of course ActiveX runs of non-Windows platforms. What rock have you been living under for the last six years?

-Don

The Open Group Releases COMsource 1.1

Menlo Park, CA. 10 January 2001 -- The Open Group has just released COMsource version 1.1, an enhanced version of the existing version, COMsource 1.0. COMsource is an open systems implementation of Microsoft's Component Object Model (COM) middleware developed for the Windows TM platform that extends the COM middleware infrastructure to UNIX TM. COMsource also allows independent software vendors to easily port their COM applications to non-Microsoft platforms. COMsource 1.0, released in September 1999, provides an object-based, distributed programming model that allows two or more applications, or application components, to easily interact and interoperate. COMsource 1.1 has a number of added features and benefits, including:

Updated to run on Solaris 2.6
Added support for the latest versions of NT and Windows 2000. COMsource is now compatible with NT 4.0 Service Packs 4, 5 and 6 and Windows 2000
Maintenance updates for build and runtime issues; enhancements to error handling to enable passing of rich error information between servers and clients on various platforms

The reference implementations include source code, an interoperability test suite and the reference documentation set. COMsource 1.1 also now has a Support & Maintenance Service offering, which consists of:

Consultation on using, building, installing and porting COMsource
Problem isolation and tracking
Critical problem escalation
Development of code fixes or workarounds for defects

For more information on COMsource 1.1, please visit www.opengroup.org/comsource

Re:Misinformation about ActiveX/DCOM

[XO]

Much like few people used the Commodore 128 in 128 mode because it emulated a 64, and few people wrote OS/2 native software because it could run DOS/Windows software, without winelib, wine would be seriously discouraging people from making native apps. winelib, from what i hear, makes making native apps easier. and that's where wine could actually HELP the state of Linux native apps. but, still, not too likely.

Re:128 bit encryption in AJAX?! Mod parents way do

[SanityInAnarchy]

Isn't 128 bit encryption already provided via SSL? So if you have to, you send passwords over the net, encrypted?

Re:128 bit encryption in AJAX?! Mod parents way do

[SimHacker]

In case you haven't been paying attention, the whole point of this plug-in is to work around the problem that 128 bit encryption is NOT provided via SSL.

Please read (and understand) the article before posting, next time.

By the way, AJAX is not the solution to every problem.

-Don

Re:128 bit encryption in AJAX?! Mod parents way do

[SanityInAnarchy]

In case you haven't been paying attention, the whole point of this plug-in is to work around the problem that 128 bit encryption is NOT provided via SSL.

In old browsers. My Firefox does support it, and has since there even was a Firefox. And what old browser is going to have xpcom?

If you're going to force them to use a new browser anyway, why lock yourself in more than you have to?

Please read, and understand, and THINK about the article before posting.

Slashdotters make Microsoft cry

[Arru]

Microsoft could propose a new format the specifications of which they intend to make freely availible at no charge and they'd be excoriated faster than you can Slashdot Effect a Packard Bell running NT 3.51.

Oh yeah. That must be why they haven't proposed a truly open format yet.

Re:What's the point of the encryption?

[kurtmckee]

what solution do you have that allows for 2048 bit key RSA to be solved in this year? In fact, lets make it 128 bit.

Those numbers aren't interchangeable like that. 2048-bit asymmetric keys are considerably different than 128-bit symmetric keys because of the math behind them. Saying "Break my 2048-bit encryption! Wait, I'll go easy on you and make it only 128-bit" doesn't work.

This is suicide

[Anonymous+Cowterd]

Activex makes use of the windows api, so it will work on internet explorer. The second most popular browser is firefox, which, of course, uses xpcom. If 85% of the internet uses internet explorer (correct me if I'm wrong), then what is the point of make the banking system client in xpcom? That's cutting your potential userbase by 85%, which, needless to say, is suicide. Also, if (like some other person said earlier on this topic) only old people use secure banking, this would further cut your userbase, as most elderly folks don't know jackshit about computers, so they won't be downloading firefox. They think that the whole internet resides in that little blue "e" on their desktop. So there ya go. You've just cut about 95% of your potential userbase. Good job Korea!

Re:This is suicide

[pandrijeczko]

In response:

1. 100% of Internet users are capable of using XPCom because they can all download and install Firefox. Less than 100% of Internet users can never use Windows API because they don't run Windows.

2. If older people use Internet banking, they probably have enough knowledge to download things like bank statements and click a "setup.exe" to install a program they need. Both "skills" are all you need to install Firefox - after that, the interface is similar enough to IE for them to use Firefox immediately.

3. Perhaps you'll reconsider your argument when, in the future, in order to continue accessing your bank account details online, you have to pay Microsoft a regular "rental" fee to use Windows and IE because that's the only software combination that let's you do it.

4. Please remember that the Internet of today exists because of open standards where the core functionality of things like web browsing, file transfer & remote connectivity are totally platform independent. It therefore makes sense to continue in that way and since people share a lot more information and documents online, they too should all be in an open standard.

5. How would you feel if you couldn't fill up your car at the petrol station nearest your home because it's fuel was incompatible with your car & you had to go to another petrol station 10 miles away? This is an equivalent analogy to the argument you are defending.

Re:This is suicide

[porneL]

I don't care I'm capable of using Firefox. I'm capable of using IE, but I just want my browser which isn't any of those.

Open Standards are useless when they are open standards of only single vendor. Good intentions, poor result.

No need to go anywhere, you can replace your car right here.

Re:This is suicide

[pandrijeczko]

Open Standards are useless when they are open standards of only single vendor.

Sorry, did you *really* read your comments before posting??? How can an open standard be of a single vendor??? Isn't this a complete contradiction?

Re:This is suicide

...Internet of today exists because of open standards...

You know that ActiveX is also an open standard, don't you?

Re:This is suicide

[starwed]

Many open standards begin life implemented by only one vendor. Even HTML, for that matter. ^_^

The point is that, when this SEED thing was developed, the Koreans couldn't make use of the already existing standards. So they pretty much had to design and then implement their own standard. It's good that they're adding implementations to multiple platforms.

Re:This is suicide

[SeeAnd]

>2. If older people use Internet banking, they probably have enough knowledge to download things like bank statements and click a "setup.exe" to install a program they need. Both "skills" are all you need to install Firefox - after that, the interface is similar enough to IE for them to use Firefox immediately. It's not true in korea. anyone do not need to have knowledge to download. most of all commercial sites use Active-X. if you need to install Active-X, just check dialogue box.

Re:This is suicide

>How would you feel if you couldn't fill up your car >at the petrol station nearest your home because >it's fuel was incompatible with your car & you had >to go to another petrol station 10 miles away?

Ahem, it's called diesel. You might as well of said, how would you feel like you had a diesel truck and had to go to a petrol station 10 miles away, and whine and complain about the fact that it takes $80 to fill up a tank that lasts 3 days.

Re:What's the point of the encryption?

[WindBourne]

Yeah, I am very aware of all that. I meant to say AES, in which case, 128 will still be non-trivial in its time. However, I let my fingers do the thinking.

I don't understand what is meant by this

[DrXym]

XPCOM is cross-platform in the sense that it compiles on different platforms but it's not interoperable between them. Neither does one binary run on many platforms. So why is this necessarily good for Mac or Linux users? This bank would still need to build and distribute whatever it is for them too. Who says they will?

Secondly unless someone has built a SOAP bridge into Firefox, XPCOM runs strictly in-process. It's quite possible someone has built such a bridge, but XPCOM itself is mostly ignorant.

So if all they're talking about here is writing a DLL or plugin with an XPCOM scripting interface I don't see what the fuss is about. It's hardly a big deal. Personally I'd rather they stuck with HTML, JS and make it work cross-platform by default. Lots of banks manage this using plain old markup with some JS over SSL.

Browser specific code is just evil. It annoys me to see banks using Java, ActiveX, Shock or some other convoluted faff to do the same since they are invariably inferior or easy to break.

Re:I don't understand what is meant by this

Yes, xpcom-based solution do have issues you raised and that's why I advocated signed Java applet, instead.

  As for your question as to why they can't use a simple HTML/Javascript with SSL, SEED is only a part of the story. Even if SEED is natively supported by every major browser (just like SSL is), we still need a 'bridge' between a web browser and a local OS to read the certificate (mandatory in Korea) on a local disk and prompt for the password. This cannot be done by a javascript but only done by an ActiveX control/ signed Java applet/NPlugin/XPCom component with a sufficient privilege. I don't like this situation at all, but if we have to, signed Java applet is the most platform-independent solution.

Re:128 bit encryption in AJAX?! Mod parents way do

[SimHacker]

You really should read the article -- you're totally missing the point.

Old browsers didn't support 128 bit encryption, so Korean banks developed their own encryption algorithm (SEED), which all their financial services now use. Firefox does not support SEED, but Internet Explored does support SEED via an ActiveX control.

If Firefox supported ActiveX controls, then Firefox would support SEED, but it doesn't. The 128 bit encryption built into Firefox will not solve their problem, because they need to use SEED. They developed SEED because the US government prohibited the export of strong 128 bit encryption at the time Korea deployed their online banking system.

They can't just decide to change their encryption algorithm overnight, so using SSL is simply not an option right now. The ActiveX control solution already exists, and works just fine for 95% of the people. It's nice that they finally support Firefox via XPCOM, but if Firefox supported ActiveX as an option in the first place, then all those Firefox users who needed to do online banking wouldn't have had to wait till now.

ActiveX and XPCOM are similar technologies, and they both have the same security problems and limitations, but they're different enough that somebody has do some programming to repackage the encryption module as an XPCOM control instead of an ActiveX control. If Firefox had an option to support ActiveX at the user's request, then extra effort and delay would not be necessary.

It would take a lot less work to make Firefox support ActiveX, than it would require to rewrite every ActiveX control so it supports XPCOM.

-Don

Did anyone else misread this as XCOM?

I would hate to have to capture a Lobsterman Commander everytime I want to make a withdrawl.

People, listen to what you're saying!

[SimHacker]

The very idea of building a SOAP bridge or an AJAX service to talk to an encryption library is INSANE! Next you kids are going to want to invent a way to use /dev/null via NFS!

The whole point of using a native ActiveX or XPCOM DLL is so you don't have to send your password over the network unencrypted. So why would you use an unencrypted SOAP network service to encrypt data you didn't want to send over the net? What bank in their right mind would do that?

The AJAXian alternative would be to implement the SEED encryption algorithm in JavaScript, and run it in the browser. That's certainly possible, but quite impractical.

If Firefox supported ActiveX as a user option, then there would be no need for a special XPCOM plug-in, and Korean users would have been able to do their banking in Firefox using the ActiveX control that has existed for years now.

ActiveX is just as secure as XPCOM, so why doesn't Firefox support it too? Seems like there's a double standard here.

-Don

Re:People, listen to what you're saying!

[DrXym]

Firefox does do activex on Windows - there is a plugin for it. But if you're going to tell people grab a plugin, you may as well refactor your existing control and make it support NPAPI or XPCOM. Then you can port it to Mac / Linux eventually which is something you can't do with ActiveX

Either way, ActiveX and plugins should be regarded as the final solution. It is possible to talk SOAP over SSL (if need be), or implement something with basic HTML with a bit of JS. Lots of banks do it and both IE and Firefox have pretty decent XML support these days. The ones that insist on controls or applets suck a lot. One of my banks uses Java and stuffs a cert somewhere on the HD, but it is an extremely painful and clunky solution.

Ok this is what we need

[el_womble]

Why is this an issue? If people don't like the way Internet Explorer works, why don't they release a virus that targets IE, downloads Firefox, patches it so that it looks like IE, and then uninstalls IE.

That is why Microsoft have made IE so full of holes isn't it?

Re:128 bit encryption in AJAX?! Mod parents way do

"They can't just decide to change their encryption algorithm overnight"

Of course they can! Why they shouldn't?

They know that they'll have to go SSL eventually and nothing avoids them having both SSL and SEED deployed in parallel during transition. Then (just an idea) they could deviate non-IE browsers to the SSL implementations so they could real-world test them on a low volume environment. Once they are satisfied they can open 128-SSL to everybody.

Re:128 bit encryption in AJAX?! Mod parents way do

[SanityInAnarchy]

Sorry, try again.

They need SEED before 2000, because of restrictions on exporting 128-bit encryption. They don't need it anymore. And I can't believe it's taken them five years to develop an XPCOM app, and nevertheless, it seems to be available for the brand-new Firefox.

Well, true, all TFA says is "128bit enabled browser didn't be exported out of US by US laws before the year of 2000." Yeah, I wonder if a native Korean wrote that? Anyway, there's currently no reason to stick to SEED, unless there are ulterior motives. Maybe SEED is the new Skipjack?

That, or the native Korean has bungled it to the point where I completely missed some obvious fact, like maybe 128-bit browsers still can't be exported? I doubt it, though.

MOD PARENT UP

+5, Smart. Not smartass, just smart.

no need for that

[namekuseijin]

What they'll be delivering, as far as i understand it, is a custom application designed around some Mozilla technologies, mainly XPCOM but perhaps also using the XUL engine for UI.

they're not delivering a custom browser or browser content. it's a custom app making good use of Mozilla techs.

Re:128 bit encryption in AJAX?! Mod parents way do

[SimHacker]

Sorry, stop trying again and again.

Yes they do need SEED. No they are not going to switch the entire country of Korea over to SSL and reissue millions of certificates this afternoon because some Firefox evangelist who still lives with his mom thinks they should.

Yes you have certainly missed some obvious facts.

-Don