Slashdot Mirror
Korea Post Office Supports XPCOM Based E-Banking
Channy writes "Mozillazine is reporting that the Korean Post Office has decided to support Mozilla Firefox for internet banking and has started the developement project of an XPCOM based internet banking system. From the article: 'In past there were no web browsers for 128 bit encryption except Opera 3.5 for international users when Korea started internet banking services in 1998.'"
All they need to do is DROP support for IE.
Also quite the undertaking switching 4700 from windows to linux.
Yay for Korea and Korean memes!
The kiddies are swapping cvs details over Telnet.
Mongrel News all the news that fits and froths
Great news, does this mean they will be including a "get firefox" icon on their website?
Linux Video Tutorial Project, Tutoring the masses.
Anything that helps take market share away from Microsoft...
is this north korea south korea or both?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
All you need to do is support a standard web browser (without requiring activeX crap to work), and firefox works fine.
My bank doesn't "support" firefox, but it works great.
The article is a little ambiguous - this seems to be only for SEED, a Korean only strong encryption algorithm, which itself isn't native to browsers, which is why they required activex in the first place.
Because they were unable to use 128bit SSL in 1998, they are going to develop internet banking that is dependent on Mozilla XPCOM, instead of taking a cross platform standard SSL approach now?
While Mozilla is ostensibly a better platform to be locked into than Microsoft, is this really a big benefit?
Someone please translate for the layman (me)
In case you did not get the joke, in Wikipedia's markup language, putting double brackets around an article title autolinks to that article (usually at http://en.wikipedia.org/wiki/Article_title).
"Yields falsehood when preceded by its own quotation" yields falsehood when preceded by its own quotation.
Mozilla is quite infamous for bundling everything (and the kitchen sink) into one. Only OpenOffice is worse...
In Soviet Washington the swamp drains you.
Hummmmmm. And what none MS keylogger is there? In fact, what none MS virus/worm is there that is causing any real issue? Not just logged, but actually causing a problem?
the amount of time it takes to decrypt even the newest encryption methods is relatively trivial, so what's the point of encryption for anyone on the planet?
Really? So what solution do you have that allows for 2048 bit key RSA to be solved in this year? In fact, lets make it 128 bit.
I prefer the "u" in honour as it seems to be missing these days.
He's an asshole, but he's right this time. Why not use AJAX? Not just to support IE, but to avoid installing software on the local machine...
Don't thank God, thank a doctor!
Surely you jest. Ever heard of rootkits, buffer overflow exploits and the like?
I work IT department at a major university. Our servers are probed relentlessly. If we don't stay up on the patches, we will get 0wn3d rather quickly.
I can't tell you how many times some boneheaded student who thinks he is the alpha geek comes to school with his Gentoo or Fedora box, plugs it into his dorm room's ethernet jack, and then proceeds to get owned becuase he doesn't know jack about securing his box. Within a rather short period of time, these boxes are relaying spam (we block outgoing port 25 now) or have become a zombie host for some script kiddie's botnet on IRC.
Windows is definitely a problem too, I certianly don't want to gloss over that, but you said non-MS doesn't get viruses.
http://www.mozilla.org/why/framework.html
I prefer none without the e, thank you. Both of your statements were addressed in replies to you by Anonymous Cowards. I hope that answers your question.
--
"pain is weakness leaving the body."In case you were wondering, most bills are paid at the post office in Korea.
-DB-
E-mail is like a prison: a prison with no walls... and no toilet. -Strong Bad
They aren't supporting firefox, they are just not supporting other browsers. I will be terrible to see when everyone becomes locked in to firefox. Free software is about freedom and compatibility. This will be neither.
...and that is all I have to say about that.
http://jessta.id.au
XPCOM is freely available for anyone to implement (unlike ActiveX). It is more secure than ActiveX and more functional than AJAX.
Perhaps MS should include XPCOM in IE? There's nothing stopping them, really.
OLPC Australia
"the amount of time it takes to decrypt even the newest encryption methods is relatively trivial"
Uh, no.
The perfect sig is a lot like silence, only louder
Are you proposing implementing the encryption on the server side, and sending passwords over the net unencrypted?
Or are you suggesting they implement the 128 bit encryption algorithm in JavaScript?
-Don
Take a look and feel free: http://www.PieMenu.com
Oh yeah, I can see you at the board meeting now:
... we tell them that it is foolish of them to use Windows and Internet Explorer and that they should switch to something else."
You: "Well, sir. I think we should block out Internet Explorer users because their browser is unsafe."
Boss: "Is it unsafe for us or them?"
You: "Them. It would'nt really effect us. They are just more likely to become victims of identity theft through a virus."
Boss: "Can they also get the same virus through an email attachment? Or by someone digging through their trash?"
You: "... yes."
Boss: "How many of our customers use IE?"
You: "About 80%"
Boss: "And what is there to prevent them from moving to another bank that DOES support their browser?"
You: "Well, that would be a lot of trouble for them to go through. It's easier to just download a safe browser."
Boss: "And what would we do about the advertisements our competitors would air stating that we don't properly support internet banking because we dropped support for IE? Getting new customers might become difficult."
You: "Well
(Long Pause)
Boss: "While we are at it, why don't we refuse entry to SUVs in the drive-thru ATM because the customer is more likely to scratch his paint and he is wasting the gas he paid for? You should stick to IT, you don't know jack about how a business works. "
Remember folks, slashdot doesn't have a -1 "disagree" moderation!
The "cross platform standards is superior" line is only trotted out when it is against Microsoft. Apple could create a horrific new music format with more sinister DRM than Microsoft has ever remotely dreamt of and Slashdotter would give it a thumbs up. Ubuntu could drop all support for zip, bzip, etc., in favor of a proprietary new compression format that no other distro used and it would get glowing reviews and plaudits for it.
Microsoft could propose a new format the specifications of which they intend to make freely availible at no charge and they'd be excoriated faster than you can Slashdot Effect a Packard Bell running NT 3.51.
If this doesn't work across all platforms then all it is doing is seriously disenfranchising a massive number of customers and that is no better than any of the things MS is taken to task for endlessly or any company that embraces MS technologies over those of Firefox and company.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
hummmm. Actually, I was thinking of AES. Brain fart, I guess. Thanx.
I prefer the "u" in honour as it seems to be missing these days.
The ActiveX Specification is freely available for anyone to implement. In case you didn't know, XPCOM is just an open source knock-off of ActiveX, with enough gratuitious changes to make them incompatible in practice. But essentially, they're the same thing.
XPCOM is no more secure than ActiveX. They both have total access to your computer. It's irresponsible of you to spread the misinformation that XPCOM is more secure than ActiveX, when it's not. It doesn't help anyone to have a false sense of security based on well meaning hype and uninformed cheerleading.
You're right that both ActiveX and XPCOM are more functional than AJAX (for some definition of the word "functional" -- in the sense that it has more client side functionality).
Perhaps Firefox should include support for ActiveX? There's nothing stopping them, really. So then it wouldn't have been necessary for to write a special XPCOM control, since they could have used their original ActiveX control.
Oh yeah, I forgot, it's more important for Firefox to make a rhetorical point by excluding ActiveX support, than to serve the needs of its users. That's called cutting off your nose to spite your face.
-Don
Take a look and feel free: http://www.PieMenu.com
Isn't 128 bit encryption already provided via SSL? So if you have to, you send passwords over the net, encrypted?
Don't thank God, thank a doctor!
Please read (and understand) the article before posting, next time.
By the way, AJAX is not the solution to every problem.
-Don
Take a look and feel free: http://www.PieMenu.com
In case you haven't been paying attention, the whole point of this plug-in is to work around the problem that 128 bit encryption is NOT provided via SSL.
In old browsers. My Firefox does support it, and has since there even was a Firefox. And what old browser is going to have xpcom?
If you're going to force them to use a new browser anyway, why lock yourself in more than you have to?
Please read, and understand, and THINK about the article before posting.
Don't thank God, thank a doctor!
There's no 'on' position on the Slacker switch!
Anyone in Korea that cares about cross platform compatibility of their banking and other related applications.
Because as other posters and the article itself pointed out, the banking industry is already standardized on using SEED instead of SSL. Presumably changing that would be a tougher undertaking. Besides, XPCOM could work in any browser and any platform if a maker of that browser decided to support it - no Firefox or Mozilla suite are required.
OK, people out there definitely are.
Sure, but the advantage of "Cross Platform Component Object Model" is that it works "cross platform." As I mentioned earlier, this enables any maker of any browser on almost any platform to use XPCOM. You can't say the same for ActiveX, which is an MS proprietary extension.
No, it makes XPCOM "better."
what solution do you have that allows for 2048 bit key RSA to be solved in this year? In fact, lets make it 128 bit.
Those numbers aren't interchangeable like that. 2048-bit asymmetric keys are considerably different than 128-bit symmetric keys because of the math behind them. Saying "Break my 2048-bit encryption! Wait, I'll go easy on you and make it only 128-bit" doesn't work.
Yeah, I am very aware of all that. I meant to say AES, in which case, 128 will still be non-trivial in its time. However, I let my fingers do the thinking.
I prefer the "u" in honour as it seems to be missing these days.
1. 100% of Internet users are capable of using XPCom because they can all download and install Firefox. Less than 100% of Internet users can never use Windows API because they don't run Windows.
2. If older people use Internet banking, they probably have enough knowledge to download things like bank statements and click a "setup.exe" to install a program they need. Both "skills" are all you need to install Firefox - after that, the interface is similar enough to IE for them to use Firefox immediately.
3. Perhaps you'll reconsider your argument when, in the future, in order to continue accessing your bank account details online, you have to pay Microsoft a regular "rental" fee to use Windows and IE because that's the only software combination that let's you do it.
4. Please remember that the Internet of today exists because of open standards where the core functionality of things like web browsing, file transfer & remote connectivity are totally platform independent. It therefore makes sense to continue in that way and since people share a lot more information and documents online, they too should all be in an open standard.
5. How would you feel if you couldn't fill up your car at the petrol station nearest your home because it's fuel was incompatible with your car & you had to go to another petrol station 10 miles away? This is an equivalent analogy to the argument you are defending.
Gentoo Linux - another day, another USE flag.
Secondly unless someone has built a SOAP bridge into Firefox, XPCOM runs strictly in-process. It's quite possible someone has built such a bridge, but XPCOM itself is mostly ignorant.
So if all they're talking about here is writing a DLL or plugin with an XPCOM scripting interface I don't see what the fuss is about. It's hardly a big deal. Personally I'd rather they stuck with HTML, JS and make it work cross-platform by default. Lots of banks manage this using plain old markup with some JS over SSL.
Browser specific code is just evil. It annoys me to see banks using Java, ActiveX, Shock or some other convoluted faff to do the same since they are invariably inferior or easy to break.
Old browsers didn't support 128 bit encryption, so Korean banks developed their own encryption algorithm (SEED), which all their financial services now use. Firefox does not support SEED, but Internet Explored does support SEED via an ActiveX control.
If Firefox supported ActiveX controls, then Firefox would support SEED, but it doesn't. The 128 bit encryption built into Firefox will not solve their problem, because they need to use SEED. They developed SEED because the US government prohibited the export of strong 128 bit encryption at the time Korea deployed their online banking system.
They can't just decide to change their encryption algorithm overnight, so using SSL is simply not an option right now. The ActiveX control solution already exists, and works just fine for 95% of the people. It's nice that they finally support Firefox via XPCOM, but if Firefox supported ActiveX as an option in the first place, then all those Firefox users who needed to do online banking wouldn't have had to wait till now.
ActiveX and XPCOM are similar technologies, and they both have the same security problems and limitations, but they're different enough that somebody has do some programming to repackage the encryption module as an XPCOM control instead of an ActiveX control. If Firefox had an option to support ActiveX at the user's request, then extra effort and delay would not be necessary.
It would take a lot less work to make Firefox support ActiveX, than it would require to rewrite every ActiveX control so it supports XPCOM.
-Don
Take a look and feel free: http://www.PieMenu.com
It's "tunnel-visioned" individuals like yourself that always turn arguments about cross-platform & open standards into "anti-Microsoft" ones - surely, the idea of an open standard is that everyone can use it???
Gentoo Linux - another day, another USE flag.
This statement is an oxymoron and demonstrates your lack of knowledge of open source.
The fact that any Linux distribution like Ubuntu gets used in the first place is because it has a high degree of compatibility with software that any other Linux distro uses - introducing a proprietary compression format would probably be the death of any distro because no-one would want to use it.
I suggest you need to go read about this more to become better informed - you'll then understand that a Linux distro is just about a particular way of packaging and presenting software to appeal to users of varying degrees of ability - ultimately, however, it's all comes from the same source code anyway.
Gentoo Linux - another day, another USE flag.
Open Standards are useless when they are open standards of only single vendor. Good intentions, poor result.
No need to go anywhere, you can replace your car right here.
Sorry, did you *really* read your comments before posting??? How can an open standard be of a single vendor??? Isn't this a complete contradiction?
Gentoo Linux - another day, another USE flag.
The whole point of using a native ActiveX or XPCOM DLL is so you don't have to send your password over the network unencrypted. So why would you use an unencrypted SOAP network service to encrypt data you didn't want to send over the net? What bank in their right mind would do that?
The AJAXian alternative would be to implement the SEED encryption algorithm in JavaScript, and run it in the browser. That's certainly possible, but quite impractical.
If Firefox supported ActiveX as a user option, then there would be no need for a special XPCOM plug-in, and Korean users would have been able to do their banking in Firefox using the ActiveX control that has existed for years now.
ActiveX is just as secure as XPCOM, so why doesn't Firefox support it too? Seems like there's a double standard here.
-Don
Take a look and feel free: http://www.PieMenu.com
Why is this an issue? If people don't like the way Internet Explorer works, why don't they release a virus that targets IE, downloads Firefox, patches it so that it looks like IE, and then uninstalls IE.
That is why Microsoft have made IE so full of holes isn't it?
Scared of flying, pointy things snce 1979!
Sorry, try again.
They need SEED before 2000, because of restrictions on exporting 128-bit encryption. They don't need it anymore. And I can't believe it's taken them five years to develop an XPCOM app, and nevertheless, it seems to be available for the brand-new Firefox.
Well, true, all TFA says is "128bit enabled browser didn't be exported out of US by US laws before the year of 2000." Yeah, I wonder if a native Korean wrote that? Anyway, there's currently no reason to stick to SEED, unless there are ulterior motives. Maybe SEED is the new Skipjack?
That, or the native Korean has bungled it to the point where I completely missed some obvious fact, like maybe 128-bit browsers still can't be exported? I doubt it, though.
Don't thank God, thank a doctor!
Many open standards begin life implemented by only one vendor. Even HTML, for that matter. ^_^
The point is that, when this SEED thing was developed, the Koreans couldn't make use of the already existing standards. So they pretty much had to design and then implement their own standard. It's good that they're adding implementations to multiple platforms.
What they'll be delivering, as far as i understand it, is a custom application designed around some Mozilla technologies, mainly XPCOM but perhaps also using the XUL engine for UI.
they're not delivering a custom browser or browser content. it's a custom app making good use of Mozilla techs.
I don't feel like it...
Yes they do need SEED. No they are not going to switch the entire country of Korea over to SSL and reissue millions of certificates this afternoon because some Firefox evangelist who still lives with his mom thinks they should.
Yes you have certainly missed some obvious facts.
-Don
Take a look and feel free: http://www.PieMenu.com
>2. If older people use Internet banking, they probably have enough knowledge to download things like bank statements and click a "setup.exe" to install a program they need. Both "skills" are all you need to install Firefox - after that, the interface is similar enough to IE for them to use Firefox immediately. It's not true in korea. anyone do not need to have knowledge to download. most of all commercial sites use Active-X. if you need to install Active-X, just check dialogue box.