Korea Post Office Supports XPCOM Based E-Banking

Channy writes "Mozillazine is reporting that the Korean Post Office has decided to support Mozilla Firefox for internet banking and has started the developement project of an XPCOM based internet banking system. From the article: 'In past there were no web browsers for 128 bit encryption except Opera 3.5 for international users when Korea started internet banking services in 1998.'"

Now

[42Penguins]

All they need to do is DROP support for IE.
Also quite the undertaking switching 4700 from windows to linux.
Yay for Korea and Korean memes!

Re:Now

[daviqh]

We could also have some more support in Mozilla Browser, and I hope they start support for that too.

Re:Now

[strcmp]

Why should they drop support for IE? It's still the most widely used browser, despite its many flaws.

This is no worse than saying that they should drop support for Safari because it's so sparsely used.

Re:Now

[strcmp]

Unsafe for the client, but not the server... as far as I know. People should be aware that they browse "at their own risks" and do have a choice as to which browser to use. If some people want to use IE, well, they were warned.

A better solution, of course, is to have a banking system that is not dependent on the underlying browser architecture.

Re:Now

[killjoe]

The average person will eat whatever you shove down their throat. MS knows that, Politicians know that, why don't you know it?

Re:Now

[bit+trollent]

Compete on features, not on dirty tricks.

Aww screw it, who are we kidding. You morons would tell someone to ban IE from their website even if it would run them out of business.

Why?

Because you are a bunch of self rightous pricks. Thats it. You get on your high horse and you pontificate on matters which you don't really understand or have any business attempting to infuluence.

But what the hell. This is slashdot. Thrust your hypocritcal ideologies on the shitheap. It doesn't matter. Nobody takes you seriously.

Obl. "In Korea ..."

[weighn]

Only old people use secure internet banking.

The kiddies are swapping cvs details over Telnet.

Great news!

[webby123]

Great news, does this mean they will be including a "get firefox" icon on their website?

which korea?

[petermgreen]

is this north korea south korea or both?

Re:which korea?

[damsa]

North Korea doesn't have internet nor money. My bet that this is South Korea.

Re:which korea?

[Geoffreyerffoeg]

You're right that it says it's in Seoul, so it would be in South Korea.

(You're completely mistaken if you think that North and South Korea would want anything to do with each other. Here's a hint: there's troops on each side of the border between them.)

Re:which korea?

[natrius]

You're completely mistaken if you think that North and South Korea would want anything to do with each other. Here's a hint: there's troops on each side of the border between them.

"It's time for us to put an end to history of dissension, and open an era of national integration. This also means laying the grounds to surmount division, and to ring in a reunified era ruled by peace and prosperity."
- South Korean President Roh Moo-hyun

Sure, there's some tension there, but I think saying that they want nothing to do with each other is a bit much. That'd be a better characterization for Pakistan and India, where some of the people actually dislike each other. I don't think the North and South Korean people actually dislike each other, but one group just happens to be ruled by a crazy dictator.

Re:which korea?

[AstroDrabb]

Huh? You are quoting _SOUTH_ Korea. There is a _huge_ difference between what South Korea wants and what North Korea wants. South Korea is basically democratic. North Korea is a dictatorship.

where some of the people actually dislike each other. I don't think the North and South Korean people actually dislike each other

I agree with you there. However, there is the HUGE problem of the North Korean dictator that is know for having pretty bad human rights violations. I doubt many South Koreans would volunteer to be a part of that.

Support for Firefox????

All you need to do is support a standard web browser (without requiring activeX crap to work), and firefox works fine.

My bank doesn't "support" firefox, but it works great.

SEED?

[erikharrison]

The article is a little ambiguous - this seems to be only for SEED, a Korean only strong encryption algorithm, which itself isn't native to browsers, which is why they required activex in the first place.

Re:SEED?

[Channy]

In past, there were no 128bit browser for international users. But, 40bit is very weak for financial service. So Korea chose plugin based internet banking and made own 128bit algorithm called SEED. Firstly, both NSPlugin and ActiveX were supported. After browser war, there is no market share of Netscape. So most of banks stop NSplugin. The SEED goes to world standard. http://www.ietf.org/html.charters/smime-charter.ht ml http://www.ietf.org/internet-drafts/draft-ietf-smi me-cms-seed-02.txt

Not quite following...

[uits]

Because they were unable to use 128bit SSL in 1998, they are going to develop internet banking that is dependent on Mozilla XPCOM, instead of taking a cross platform standard SSL approach now?

While Mozilla is ostensibly a better platform to be locked into than Microsoft, is this really a big benefit?

Someone please translate for the layman (me)

Re:Not quite following...

[Wizarth]

I'd say it's because they have all their SEED technology in place, and don't want to replace that. Especially since it currently works. Producing a XPCOM based plug-in for Mozilla based browsers lets them connect to SEED encrypted connections, without replacing infrastructure.

Re:Not quite following...

[ihavnoid]

First, I'm a Korean citizen who uses on-line banking every day.

Just as the article mentions, 128-bit SSL wasn't an option when the internet-based banking started on 1998, so Korea had to develop their own standards. Since there are more than 10 million SEED-based certificates issued on this country, changing the whole infrastructure into SSL would be crazy.

Yes, certficates are issued to everybody who needs an on-line banking account, since itself is used as an authentication method. To get a certificate, you have to visit any bank that you have an account, ask them for on-line banking, and they will give you a one-time password for issuing your certificate (valid for one week).

Everything else is handled on-line. Since the authentication system is a national standard, it works with any bank, any credit card company, and I remember it also works on the stock market. You don't need any offline registration to use it on another bank.

The certificate is password-protected, just like any other certificate. I believe the certificate is node-locked. If you want to export/import the key, you need the password associated with the key.

I'm not sure how many of these kind of features are supported by SSL, but even if IE/Firefox/Opera's SSL has more features, I don't think it's a good idea to replace a system that works well. Yes, I hate ActiveX, but I don't want to see 10+ million Korean citizens visit the bank for re-issuing their certificate.

Re:Not quite following...

[stoev]

Are there any free open source implementations of SEED? I think a change to SSL should be discussed. I am also in Korea (I work here). In 10 minutes I will extend my SEED key online, which expires soon. I will not go to my bank (which is 50 meters from me). The same method can be used to change all the keys to SSL. No need to visit the bank office.

My personal opinion is, that the existing e-banking system in Korea is substandard. ActiveX requires admin on XP to install and most banks install 2-3 other activeX. This has to stop. Somebody has to educate these guys how to do e-banking.

Re:What's the point of the encryption?

Surely you jest. Ever heard of rootkits, buffer overflow exploits and the like?

I work IT department at a major university. Our servers are probed relentlessly. If we don't stay up on the patches, we will get 0wn3d rather quickly.

I can't tell you how many times some boneheaded student who thinks he is the alpha geek comes to school with his Gentoo or Fedora box, plugs it into his dorm room's ethernet jack, and then proceeds to get owned becuase he doesn't know jack about securing his box. Within a rather short period of time, these boxes are relaying spam (we block outgoing port 25 now) or have become a zombie host for some script kiddie's botnet on IRC.

Windows is definitely a problem too, I certianly don't want to gloss over that, but you said non-MS doesn't get viruses.

This explains it nicely

http://www.mozilla.org/why/framework.html

Re:Is there a STANDALONE xpcom release?

[strcmp]

http://www.mozilla.org/projects/xpcom/xpcom-standa lone.html

Re:What's the point of the encryption?

[korea]

I prefer none without the e, thank you. Both of your statements were addressed in replies to you by Anonymous Cowards. I hope that answers your question.

Post office

[DavidBartlett]

In case you were wondering, most bills are paid at the post office in Korea.

Re:who cares

[The+Original+Yama]

XPCOM is freely available for anyone to implement (unlike ActiveX). It is more secure than ActiveX and more functional than AJAX.

Perhaps MS should include XPCOM in IE? There's nothing stopping them, really.

I can see it now!

[Agarax]

Oh yeah, I can see you at the board meeting now:

You: "Well, sir. I think we should block out Internet Explorer users because their browser is unsafe."

Boss: "Is it unsafe for us or them?"

You: "Them. It would'nt really effect us. They are just more likely to become victims of identity theft through a virus."

Boss: "Can they also get the same virus through an email attachment? Or by someone digging through their trash?"

You: "... yes."

Boss: "How many of our customers use IE?"

You: "About 80%"

Boss: "And what is there to prevent them from moving to another bank that DOES support their browser?"

You: "Well, that would be a lot of trouble for them to go through. It's easier to just download a safe browser."

Boss: "And what would we do about the advertisements our competitors would air stating that we don't properly support internet banking because we dropped support for IE? Getting new customers might become difficult."

You: "Well ... we tell them that it is foolish of them to use Windows and Internet Explorer and that they should switch to something else."

(Long Pause)

Boss: "While we are at it, why don't we refuse entry to SUVs in the drive-thru ATM because the customer is more likely to scratch his paint and he is wasting the gas he paid for? You should stick to IT, you don't know jack about how a business works. "

Re:I can see it now!

[mrchaotica]

Boss: "Is it unsafe for us or them?"

You: "Them. It would'nt really effect us. They are just more likely to become victims of identity theft through a virus."

That's incorrect. In case you haven't noticed, most banks advertize that they'll bail their customers out when they get defrauded. So it does effect the bank, because they have to raise interest rates to cover their losses from fraud.

Boss: "And what would we do about the advertisements our competitors would air stating that we don't properly support internet banking because we dropped support for IE? Getting new customers might become difficult."

We tell them that, (apparently) unlike other banks, we care about their financial well-being, and try to do everything possible to ensure a safe electronic banking experience.

Misinformation about ActiveX/DCOM

[SimHacker]

Thanks for trying out, but you can't be a cheerleader if you don't do your homework.

The ActiveX Specification is freely available for anyone to implement. In case you didn't know, XPCOM is just an open source knock-off of ActiveX, with enough gratuitious changes to make them incompatible in practice. But essentially, they're the same thing.

XPCOM is no more secure than ActiveX. They both have total access to your computer. It's irresponsible of you to spread the misinformation that XPCOM is more secure than ActiveX, when it's not. It doesn't help anyone to have a false sense of security based on well meaning hype and uninformed cheerleading.

You're right that both ActiveX and XPCOM are more functional than AJAX (for some definition of the word "functional" -- in the sense that it has more client side functionality).

Perhaps Firefox should include support for ActiveX? There's nothing stopping them, really. So then it wouldn't have been necessary for to write a special XPCOM control, since they could have used their original ActiveX control.

Oh yeah, I forgot, it's more important for Firefox to make a rhetorical point by excluding ActiveX support, than to serve the needs of its users. That's called cutting off your nose to spite your face.

-Don

Re:Misinformation about ActiveX/DCOM

[SimHacker]

You're wrong, and you've completely missed the point of ActiveX and XPCOM.

They are both systems for defining interfaces that hide the way you implement services. ActiveX says nothing about which API you use to implement the interfaces with. The whole point of ActiveX and XPCOM is to separate interface from implementation.

ActiveX runs on MacOS, OS/X, Linux, Unix, without any Win32 api dependencies, and on Windows, where you can develop ActiveX controls with or without Win32 and MFC dependenceis.

I don't understand your argument about "making use of the windows api in linux is about as good as using POSIX on windows". Haven't you ever heard of cygwin? That's pretty good, and I use it all the time.

I also don't understand your argument about "To add activeX to gecko's windows codebase would just spilt the userbase".

You sound like those Loki appologists who argue that Wine is evil because it discourages people from developing games for Linux. If it solves some people's problems, then what's your beef with it?

-Don

Re:Misinformation about ActiveX/DCOM

[SimHacker]

Of course ActiveX runs of non-Windows platforms. What rock have you been living under for the last six years?

-Don

The Open Group Releases COMsource 1.1

Menlo Park, CA. 10 January 2001 -- The Open Group has just released COMsource version 1.1, an enhanced version of the existing version, COMsource 1.0. COMsource is an open systems implementation of Microsoft's Component Object Model (COM) middleware developed for the Windows TM platform that extends the COM middleware infrastructure to UNIX TM. COMsource also allows independent software vendors to easily port their COM applications to non-Microsoft platforms. COMsource 1.0, released in September 1999, provides an object-based, distributed programming model that allows two or more applications, or application components, to easily interact and interoperate. COMsource 1.1 has a number of added features and benefits, including:

Updated to run on Solaris 2.6
Added support for the latest versions of NT and Windows 2000. COMsource is now compatible with NT 4.0 Service Packs 4, 5 and 6 and Windows 2000
Maintenance updates for build and runtime issues; enhancements to error handling to enable passing of rich error information between servers and clients on various platforms

The reference implementations include source code, an interoperability test suite and the reference documentation set. COMsource 1.1 also now has a Support & Maintenance Service offering, which consists of:

Consultation on using, building, installing and porting COMsource
Problem isolation and tracking
Critical problem escalation
Development of code fixes or workarounds for defects

For more information on COMsource 1.1, please visit www.opengroup.org/comsource

Re:128 bit encryption in AJAX?! Mod parents way do

[SimHacker]

In case you haven't been paying attention, the whole point of this plug-in is to work around the problem that 128 bit encryption is NOT provided via SSL.

Please read (and understand) the article before posting, next time.

By the way, AJAX is not the solution to every problem.

-Don

Re:who cares

[zurab]

Hmm... Let's see:

Who cares that they are creating an XPCOM piece of shit?

Anyone in Korea that cares about cross platform compatibility of their banking and other related applications.

Why dont they just make a web-based thing that would work for all browsers.

Because as other posters and the article itself pointed out, the banking industry is already standardized on using SEED instead of SSL. Presumably changing that would be a tougher undertaking. Besides, XPCOM could work in any browser and any platform if a maker of that browser decided to support it - no Firefox or Mozilla suite are required.

And seriously, you people are such hypocrites.

OK, people out there definitely are.

XPCOM doesnt work on IE, and activex doesnt work on Firefox.

Sure, but the advantage of "Cross Platform Component Object Model" is that it works "cross platform." As I mentioned earlier, this enables any maker of any browser on almost any platform to use XPCOM. You can't say the same for ActiveX, which is an MS proprietary extension.

So that instantly makes Firefox better?

No, it makes XPCOM "better."

Re:This is suicide

[pandrijeczko]

In response:

1. 100% of Internet users are capable of using XPCom because they can all download and install Firefox. Less than 100% of Internet users can never use Windows API because they don't run Windows.

2. If older people use Internet banking, they probably have enough knowledge to download things like bank statements and click a "setup.exe" to install a program they need. Both "skills" are all you need to install Firefox - after that, the interface is similar enough to IE for them to use Firefox immediately.

3. Perhaps you'll reconsider your argument when, in the future, in order to continue accessing your bank account details online, you have to pay Microsoft a regular "rental" fee to use Windows and IE because that's the only software combination that let's you do it.

4. Please remember that the Internet of today exists because of open standards where the core functionality of things like web browsing, file transfer & remote connectivity are totally platform independent. It therefore makes sense to continue in that way and since people share a lot more information and documents online, they too should all be in an open standard.

5. How would you feel if you couldn't fill up your car at the petrol station nearest your home because it's fuel was incompatible with your car & you had to go to another petrol station 10 miles away? This is an equivalent analogy to the argument you are defending.

Re:This is suicide

[starwed]

Many open standards begin life implemented by only one vendor. Even HTML, for that matter. ^_^

The point is that, when this SEED thing was developed, the Koreans couldn't make use of the already existing standards. So they pretty much had to design and then implement their own standard. It's good that they're adding implementations to multiple platforms.