Japanese Government Requires Java and Internet Explorer 11 X86

Long time reader AmiMoJo writes: Japan has introduced "My Number", a social security number assigned to citizens and used to access government services. Unfortunately, the My Number management web portal requires the Java plug-in. Because this plug-in is deprecated in many browsers, only Internet Explorer 11 (32 bit) and Safari on Mac are supported. The explanation (translated) given for this is that in order to access My Number contactless card readers Java is the only option. Some browsers support IC card access but it seems that it is not mature enough to be viable.

I guess 2017 won't be the year of Linux

on the desktop in Japan.

Re:I guess 2017 won't be the year of Linux

[Joce640k]

This is quote normal here in Spain, too. Everybody who needs access to government web sites is forced to use Java for their card reader so they can digitally sign stuff.

(all accountants, etc., are required to do this)

Re: I guess 2017 won't be the year of Linux

The point of Java is to be cross platform, so I don't understand why it would be limited to IE11 or any browser.

Re: I guess 2017 won't be the year of Linux

[houstonbofh]

The point may have been but the execution was anything but! Every version on evey platform have changes... Some of these were deal breakers. Most enterprises have different virtual desktops for management of Network devices, storage devices and virtual servers because they all require specific and different (and mutually exclusive) versions of java!

Re: I guess 2017 won't be the year of Linux

How 2016, they should have a mobile app instead.

Re: I guess 2017 won't be the year of Linux

That was a decade ago. Oracle has pretty much destroyed java and made it very unsecure so all modern browsers block it.

Re:I guess 2017 won't be the year of Linux

[K.+S.+Kyosuke]

It will come only two years after the year of BTRON on the desktop, I'm sure.

Re: I guess 2017 won't be the year of Linux

Google et al decided to just say "fuck it." and completely remove java support from their browsers without consideration for the infrastructure they would disrupt. You can shoe horn in back in if you really want but then don't expect government agencies to work out in bugs as a result of your hacks to get it running.

IE and Safari are the only 2 major browsers that offer java applet support out of the box.

Re:I guess 2017 won't be the year of Linux

[jgfenix]

You tell me. The problems I had to make the electronic DNI work (and I didn't use it too much). Well now at least the driver is included in Windows (only for IE/Edge and Chrome though).

Re: I guess 2017 won't be the year of Linux

[sjames]

Mostly because there have been so many security holes found in java plugins that no other browsers even support it any more. Even Oracle doesn't think it's a good idea these days. Fee free to contemplate the irony of using the java plugin for a security application.

Re: I guess 2017 won't be the year of Linux

Mostly because there have been so many security holes found in java plugins that no other browsers even support it any more. Even Oracle doesn't think it's a good idea these days. Fee free to contemplate the irony of using the java plugin for a security application.

They won't. The whole reason why they used it in the first place was because of the lack of robust options.

Take PC/SC for example. Practically, every card reader you use must support the cards you want to use. I.e. Just randomly picking up a stack of new smartcards and a reader won't work. Even if the card reader supports the card type, (Memory only, or Secure Processor), the reader may not recognize the card's ATR (Answer to Reset) or it may not recognize the firmware on the card and fail to do anything with it. Another issue is the application used. The app tends to need to format the data for the card before it sends it. There's no robust TCP/IP like API stack here. If the app doesn't support the card reader and cards used, you will not be getting anywhere.

It's so bad that OpenPGP has it's own format for storing keys on a smartcard that's incompatible with everything else. While OpenSSL uses PKCS12. They even sell cards specifically for OpenPGP. (Yubikey.)

This makes the choice of what cards and card readers you will use the defining aspect of any smartcard deployment. As this choice will be greatest limiter of your other choices through out the remainder of the smartcard-based project. Everything from what hardware can interact with it to future expansion or security fixes. (Some cards are firmware based, and will only ever support specific crypto algorithms. (And key sizes!) You need to use a new algorithm or a bigger keysize? That's going to require deploying new cards, and completely replacing the existing cards before your system is secure again.

Finally, most of these cards (processor based) are closed source. So there's no guarantee that they will work as expected, and little insight as to what exactly they are doing when you plug them in. (Great for security applications right?) There's also no key retrieval on the cards that make the keys for you. So if you hose the card that contains your encryption key, you had best have a copy of that cleartext lying around somewhere. (That also means you can't confirm that the key used was actually built as advertised, without doing some cryptanalysis.)

Java works on most things, and it's updatable. Yes the browser plugin is a security nightmare, but so is the concept of relying on a card you can't control very well to authenticate, attest to, and secure your identity / communications. So yeah I can see why the Japanese government chose Java Card. They want something that works, with minimal hassle. A.K.A Real security is hard, and we're all a bunch of primates. So that ain't happening.

Re:I guess 2017 won't be the year of Linux

[Provocateur]

So are card readers (that I have seen on old clunky keyboards) sold as part of PC OEM configuration e.g. CPU-Screen-mouse-keyboard in Spain? Or you just add this to your PC like an after market accessory? Please pardon my ignorance

Re:I guess 2017 won't be the year of Linux

[jgfenix]

The normal is to buy the card reader apart (the computer I use at work has a card reader Incorporated in the keyboard though but I don't see them in other places.)

Re:I guess 2017 won't be the year of Linux

[Provocateur]

Thank you for the response. =)

Re: I guess 2017 won't be the year of Linux

[sjames]

When your expected deployment is measurable in millions, vendors become keenly interested in meeting YOUR requirements.

Dumb...

NPAPI is the other option, but that puts you in the exact same boat as Java (though IMHO is still better).

Re:Dumb...

[Lirodon]

NPAPI is the other option, but that puts you in the exact same boat as Java (though IMHO is still better).

Actually, NPAPI is the common point of failure, because Java in the browser _is_ NPAPI, and the deprecation of it is the reason why the Java plug-in is being discontinued, period.

Re:Dumb...

> that puts you in the exact same boat as Java

Yeah I know, but if you're stuck with NPAPI (e.g. you need to interface hardware from a web browser) its best to just use that with C/C++ instead of add Java on top and its baggage. I've written more NPAPI plugins then I care to admit and some are even still in production for customers that haven't switched to the websocket versions of the product. If they had been written in Java they would require a lot more maintenance such as needing to purchase, re-sign and re-deploy the applets every 3 years because they need to be signed.

The Number One signature of incompetence: "My"

There is nothing more indicative of mediocrity than the presence of the Microsoft-popularized* qualifier "My"

----------

* ... or was it popularized by Perl????

Re: The Number One signature of incompetence: "My"

I'm sure some anime watching drone will come in here and give you the specifics of why my doesn't translate well from Japanese but I wanted to frist post before they do

Re:The Number One signature of incompetence: "My"

Yep. And you can add the words "family" and "home" here too. Every time these words are used in a product description, it means you're getting something dumbed-down and intended for the lowest common denominator.

Re:The Number One signature of incompetence: "My"

[avandesande]

dont forget 'cloud'

Re:The Number One signature of incompetence: "My"

[Joce640k]

That's exactly what you're supposed to think. It's having the intended effect.

(ie. Making you want to purchase the "professional" version - at twice the price for two extra features that you'll probably never use)

Re:The Number One signature of incompetence: "My"

[houstonbofh]

Number one, my ass!

Re:The Number One signature of incompetence: "My"

[nitehawk214]

Number One, I order you to take a Number Two.

Re: The Number One signature of incompetence: "My"

[Ark42]

I have a My Number card. It's spelled in Katakana. Literally "Mai Nambaa". There is no translation to English. They literally wanted to use the English phrase "My Number" as the name of the system.

Re: The Number One signature of incompetence: "My"

[AmiMoJo]

It seems to be a trope in the Japanese language. People sometimes think that English words used by the Japanese have the same meaning as in English, but it's often not the case. For example "water" generally refers to a flavoured energy drink.

Anyway, "my" in Japanese is used to signify something personal or personalized. Railway modellers talk about "my train", meaning their favourite model that they have improved from stock. In this case, the government also wanted to avoid reminding people of a more authoritarian past so used "my number" to imply that they were importing the idea from other countries and it was entirely normal and progressive (which to be fair it is, most countries have some kind of personal number, like the National Insurance Number in the UK or Social Security Number in the US). It also helps avoid overloading existing words and names.

Re:The Number One signature of incompetence: "My"

[houstonbofh]

Who does number two work for?

Weirdness factory

Sigh--yet something else from the Japanese weirdness factory.

The JAPS

Should stick to video games and tentacle porn. Please stay out of the engineering dept.

Re: The JAPS

[Type44Q]

They should stick to rice... get it? ;)

Re: The JAPS

[Type44Q]

"So tellibry lacist to point out the stickiness of lice, des yo!!"

Or not, as the case may be....

Broken link

[theNetImp]

The link is broken it leads to google translate, but it's just an empty translate page.

Re:Broken link

I don't get the point of linking translations. Post the damn source, people can run it through a translator if they want.

Japan is a very bureaucratic nation

[Master5000]

They have a lot of paper and are pretty useless with computers. Usually the opposite from what you see in the news about Japan. They aren't that of an advanced nation if you look at the common man. So this shouldn't be a surprise. It's good that they're trying to automate some stuff but it will take some time and they will make some mistakes. Even dumb mistakes like this one.

Re:Japan is a very bureaucratic nation

Who's going to tech all the elderly/aging people how to use a computer?
Just let them use their faxes

Re:Japan is a very bureaucratic nation

lulz my mother cant use email still she uses a fax machine

Re: Japan is a very bureaucratic nation

Lulz my mom can't even use a fax machine. She still uses hand delivered mail in 2k17.

Re: Japan is a very bureaucratic nation

[The-Ixian]

You kids with your hula-hoops and fax machines.... And who decided on beige for all these new-fangled gadgets? Damn kids...

Re:Japan is a very bureaucratic nation

[gtall]

Example: Sony. Please, someone put this company out of our misery.

Re:Japan is a very bureaucratic nation

[AmiMoJo]

Funny, I visit regularly and find that the general level of technology, the pervasiveness of it, is much higher than the UK. Maybe we are even more backwards.

They certainly seem pretty good with computers, anyway. And smart phones.

This is just an issue with incompetent developers and bureaucracy picking the wrong technology a few years ago. Japanese people over on Srad (the new name for Slashdot Japan) seem to agree. Yes, I pilfered the story from there.

Yawn

Yawn, IE11 defaults to 32 bit anyway. You get both 32bit and 64bit installs on windows. And many times 64 bit version has many issues especially with compatibility. In fact, many enterprises disable the 64 bit IE entirely.
Kinda like how MS themselves recommend NOT using 64 bit office, but only 32 bit office installs, because it's full of issues that MS doesn't bother to fix.

The x86 IE 11 requirement is a non story.

The java requirement on the other hand...

Re:Yawn

[The-Ixian]

I am not so sure that it is flaws in the 64 bit version of the software, I feel that it is actually the same problem that plagues Windows in general: Backward compatibility.

There is an ocean of Office and IE plugins that are 32 bit only. While it is a problem that Microsoft created, it's not exactly their problem to update the vast amount of 3rd party programs which only work with 32 bit versions.

The thing is, 64 bit is all well and good, but even today, there isn't a compelling reason to have 64-bit address space for most applications. Kind of the same thing with multi-threading and multiple cores. Most apps just don't need or can't use that extra capacity.

Re:Yawn

[gtall]

It isn't that MS doesn't bother to fix the issues, it is that they cannot fix the issues because no one understands how it is built any longer. It is like a Agile Wet Dream: roll that snowball down the slope of customer features long enough and don't ever redesign its innards and you get Office.

Re:Yawn

[marcansoft]

Smart card access has been broken in Linux Chrome for seven odd years, and that's *with* native PKCS plugins. Browser support for smartcards is still horrible. No wonder they had to go for java.

waterfox 64 bit works with java!

[Joe_Dragon]

waterfox 64 bit works with java!

Now supermicro can we get a non java ipmi?

Re:waterfox 64 bit works with java!

Its crazy right? I have all this networking gear and they all need Java for the admin consoles.

Re:waterfox 64 bit works with java!

ipmitool -I lanplus works great with supermicro. The only thing ipmitool doesn't do is KVM, and you can do this from the command line without the stupid plugin using java -Djava.library.path=. -jar iKVM.jar 10.1.2.3 ADMIN passwd null 5900 623 0 0

Re:waterfox 64 bit works with java!

[sjames]

That is somewhat more useful, but I really wish they would just go with plain old vnc. They're not as bad as the ones that open a random port and signal back to the app. Some of us have to hop through ssh tunnels.

That's why in 2017, I'm still glad linux can be installed using a combination of serial and (sometimes) vnc. At least I can now use the web browser to mount virtual media.

unclear on the concept

Sounds like someone misunderstood what future proofing means.

Re:unclear on the concept

[hey!]

I worked for years as a contractor developing software for government agencies, and in my experience they're often running software that is years out-of-date. This is a result of government budgets operating in a cash rather than accrual mentality -- i.e. that a penny saved is a penny earned. Taken to the extreme "a penny saved is a penny earned" is false.

Can you make do with a version of software that's EOL? Sure, but it'll cause problems. How can we solve those problems? Well, throw staff time at them. Would that be new hires? No, they're people whose salaries we're already paying. So the view you can minimize the immediate cash outlay by running obsolete software. This would not be reckoned by a private enterprise as a legitimate cost savings, but that's why the IT guys in government have to contend with.

So you have to look at government platform decisions like they were being made 10 years ago. Then allow for the development time for the project and this is how the calculation goes: 2017,minus three years for project development time, minus ten years for government lag time, and this is like a corporate in-house developer choosing applets as a platform in 2004.

Government IT guys run the gamut from incompetent to high competent, just like their private sector counterparts. But if you were to give them a letter grade (ABCDF) you have to deduct one letter grade from their ability to perform to account for the irrational financial incentives they have to deal with.

Re:unclear on the concept

[stinerman]

Can you make do with a version of software that's EOL? Sure, but it'll cause problems. How can we solve those problems? Well, throw staff time at them. Would that be new hires? No, they're people whose salaries we're already paying. So the view you can minimize the immediate cash outlay by running obsolete software. This would not be reckoned by a private enterprise as a legitimate cost savings, but that's why the IT guys in government have to contend with.

Oh, you'd be surprised. I've worked many places that consider employee time to be "free". We can buy a library that will solve problem X or just build it ourselves. The library costs money, but building it ourselves is free! After all, we're paying our programmers anyway!

Re:unclear on the concept

"This would not be reckoned by a private enterprise as a legitimate cost savings"

You may have insufficient experience with private enterprises.

Re:unclear on the concept

[hey!]

Oh, you'd be surprised. I've worked many places that consider employee time to be "free". We can buy a library that will solve problem X or just build it ourselves. The library costs money, but building it ourselves is free! After all, we're paying our programmers anyway!

That's a more complicated question, because it's not just about staff time spending vs. license fees. When you build dependencies on a closed source library into your work that's an act of faith in the vendor's future support policies. Once I had a vendor who raised the distribution fees on downstream licensees from $5/seat to $1000/seat. Oh, and don't forget the vendors who simply abandon products that aren't making money and leave their customers dangling.

Even if you don't buy into the ideology of Free/Libre software, the risk of being tied to a vendor's future goodwill is a sufficient reason never to buy proprietary libraries. If you do buy a proprietary library you need to protect yourself both contractually (if possible) and architecturally.

Now as for using "free" staff time, at the risk of sounding like I'm contradicting myself, intelligent and creative use of slack developer time is one of the most important things you can do for your long-term success. Far from treating slack time as "free", however, I see it as treating slack time as too valuable to squander. You should set aside time to do things purely for extending the capabilities of the team. That might involve reinventing the wheel, if you have good reason to believe you can make a better one.

Sounds about right

Tokyo is covered in wifi. Wifi that's horrendously configured, overlapping, and almost completely inaccessible from phones built in the last 5 years. A lot of it is WEP. I just kind of assume they have different priorities from more Western nations.

Why was the contract given to this company?

[execthis]

Whoever gave the contract to the maker of the contactless card reader which only has a Java driver is an idiot and should be fired.

Same mistake as Korea

[plsuh]

South Korea mandated the use of an ActiveX control for online payments in the 1990s, which has locked companies and banks there into a deprecated and dangerous technology. Only in the last couple of years has the government there started the process of getting rid of the damn POS system.

Someone please tell the Japanese government that what they are doing is a REALLY bad idea.

Re:Same mistake as Korea

[thegarbz]

which has locked companies and banks there into a deprecated and dangerous technology

The extent of the dangers and the upcoming depreciation of ActiveX were not known at the time of this implementation. There's another way to see this, in the same light as that crappy broadcast standard called NTSC. The first mover always has the disadvantage of uncertainty and at the time the Koreans made the move they were among the most technologically advanced online banking systems in the world.

The Japanese look like they may have already made this mistake in the past and are already tied into legacy systems which depend on Java.

Re:Same mistake as Korea

as a side note: MSN Messenger is still alive and kicking (or was just a few years ago) in S. Korea for a very similar reason, It was required for some kind of government interaction... and so S.K. paid MSFT to keep it up and running

Which is sad that the best chat client is a 10 year old version of MSN messenger... (still)

It gained favor in Asian countries over AIM, etc. because it has unicode support earlier than any of the others

Re:Same mistake as Korea

[plsuh]

The extent of the dangers ... of ActiveX were not known at the time of this implementation

ActiveX in the browser has always been an absolutely horrendous idea from a security perspective. Everyone I know of who works in the computer security field thought that ActiveX in the browser was a security hole waiting to be exploited from the start. Choosing ActiveX as a basis for electronic payments was a Really Bad Idea. This was obvious even in 1996.

Re:Same mistake as Korea

[thegarbz]

works in the computer security field

Check your timeframe. This field was mostly non-existent at the times Korean banks were going online. In some ways ActiveX may have created the field.

Re:Same mistake as Korea

[antdude]

I am surprised these high tech countries still use stuff like that. :(

Japan: old and new

They have a lot of paper and are pretty useless with computers. Usually the opposite from what you see in the news about Japan. They aren't that of an advanced nation if you look at the common man. So this shouldn't be a surprise. It's good that they're trying to automate some stuff but it will take some time and they will make some mistakes. Even dumb mistakes like this one.

Also: cash is still king. Their banking system is fairly antiquated, and so debit and credit are supposedly a hassle to setup (because of fees).

Supposedly fax machines are also still used extensively.

Asia and internet tech

[phorm]

A lot of places in Asia seem to be in the prehistoric age when it comes to Internet tech.

Korea has similar issues with a bunch of banking and government sites. I think just in the last year many have fixed it, but my wife has had a f*** of a time because many of those sites required IE6 and ActiveX (for their "security" plugins, ironically). If you're in Korea it's a bit less of an issue because you can just drop by the bank or gov't agency, but it's especially a pain for anyone overseas.

They have the right idea

It's because most of this browser and operating system version stuff matters very little in the daily life of real people. It's not a big deal to setup a system that conforms to the government's requirements, and the government doesn't have to create a massive project every few years to revamp their systems and retest for conformance over an ever growing matrix of computing platforms.

use java web start instead

browser plugin deprecation is a non-issue.

just use java web start instead: https://en.wikipedia.org/wiki/Java_Web_Start

all you have to do is write a tiny .jnlp file and link to.

done.

Re:use java web start instead

Oh yeah. Webstart. Works until the next minor java update breaks it. If you are very lucky, you just need to purge java's download cache and go back to the page that pointed you to the jnlp .... You know, intuitive stuff every user knows how to do. /s

If that doesn't work, Oracle changed something in the way webstart works and you are screwed until the app vendor gets new version ready.

Re:use java web start instead

Been using that crap for years, not that I like it though. Jfyi.

Re:use java web start instead

Try telling that to the sales/marketing guys that the user has to download something and launch it.

Really there is no good way in modern web browsers to interface with specialised hardware. Everything is being deprecated and html 5 only provides generic APIs. The only way I know if is a self hosted service; but even that requires installing a local certificate so that https sites work with it.

Windows XP

[jfdavis668]

But, how do I run Internet Explorer on my Windows XP machine?

Re:Windows XP

[SeaFox]

But, how do I run Internet Explorer on my Windows XP machine?

Joke fail.
Internet Explorer comes with XP. You didn't specify IE11.

My bank implemented clever solution

Local application server listening to localhost interface. It is native win32 application which interacts with hardware crypto-provider.
The web page loads JS application which in safe way interacts with server using keys stored in crypto-provider.
Works under all modern browsers.

Windows-tightened because crypto-provider produced only for windows.

Any reason why Java?

Why doesn't this POS support openSC?
Or any kind of open standard for that matter.

TFA?

Do I miss something?
Or where is TFA?

Korea's "mistake"

South Korea mandated the use of an ActiveX control for online payments in the 1990s, [...]

No, they mandated a certain level of crypto, which (in 1999) was only possible via a browser plug-in:

In fact, there were two versions of SSL: U.S. edition and international edition. The U.S. edition supported 128-bit secret key whereas the international edition supported 40-bit secret key. The problem is that 40-bit secret key is too weak to use for message encryption.

South Korea needed a better encryption than what the international edition supported, so Korea Internet & Security Agency (KISA) developed 128-bit block cipher called SEED in 1999. The development was necessary since there was a proliferation of personal computers and the internet network during that time all over South Korea. KISA chose ActiveX control to use their secure cipher on Internet Explorer, which was used by the most of internet users in Korea.

* https://medium.com/@yunkee_lee/why-has-south-korea-been-stuck-with-activex-44c773dbf54
* https://en.wikipedia.org/wiki/SEED

It reached a critical mass and so people were stuck with it. Though the regulations weren't officially lifted until a few years ago (once software crypto ITAR was relaxed).

Palemoon

[dafradu]

If the problem are the modern browsers that disabled NPAPI plugins then you can use Palemoon, even the x64 build still runs Java.

ie only...

If I tried to pass something like this off to my boss.... id loose my job!

What would be the correct way ?

[v1nce29]

to interact with a card reader from a browser ?

The point of Oracle

[Shane_Optima]

The point of Java is to be cross platform, so I don't understand why it would be limited to IE11 or any browser.

Java was developed by Sun, which was later bought out by Oracle. It turns out Oracle has their own special set of priorities and Java plugin bug fixes was not one of them.

Also, the "point of Java is to be cross platform" thing was just an early PR thing. The point of Java (in practice) was to take C++, remove the "C" and cover any remaining sharp corners with padding.

Re:The point of Oracle

The past 2-3 years I've had the pleasure working on a web application that must generate signatures for +- 1200 endusers on a daily basis (with hardware not under our control).

The period 2014-2015 is also when the most java vulnerabilities where found, and fixed by Oracle (lets' be fair here). We had a lot of problems with this but aside from 1 Oracle SNAFU (java upgrade corrupted security.policy files if I remember correctly), all other problems were due to security tightening with every release and eventually forcing a 100% correctly signed applet. For more than a year now we are in a very stable situation without noteworthy issues.

Nevertheless, just maintaining the applet is a very big overhead. The build process is clunky (creation of uber-jar because we need to sign all classes from all signed libraries), manual procedures to create signature for production, re-signing when certificate must change or is about to expire, headaches in development because we sign with a "non-official" certificate, each java release we must validate asap nothing broke because the new version is not made available to us before our end-users,.....

Java is great server side, but please keep it away from the client! The future deprecation of applet by Oracle itself (first release of java 9 this september will still support applets, but after that we expect it to be finally discontinued) combined with above problems caused us to search for different solution and there are plenty, almost always in the form of browser javascript api + plugin/extension.

There's a very nice open source project https://github.com/open-eid which is tied to the estonian eid software: http://www.id.ee/index.php?id=30469 . I've done some basic tests with this and had no issues creating a signature.
Eventually we chose a 3rd party vendor which has the same approach (browser plugin / extension + javascript wrapper) and up until now we are very happy with the end result, except for the lack of Linux support but this is my personal sentiment as we have no end-users running it. We are finalizing the project and expect to release in 2 months.

Our government in the meanwhile has transitioned their applet to a java web start based application which I think is just short sighted. I wont be surprised if they will have to migrate again in the future.

I wanted to voice my opinion on Japan, but the link in the summary is broken and the only search result for "japan my number java" brought me to https://yro.slashdot.org/story/17/01/27/148242/japanese-government-requires-java-and-internet-explorer-11-x86 , and I dont handle recursion well....