The Korea Herald

소아쌤

Outdated security software plagues Korean Internet

By Korea Herald

Published : April 18, 2012 - 18:49

    • Link copied

Nine years ago when Kim Kee-chang came back to his native country of South Korea, he had no idea he was coming back to start a tech war. But when he booted up Linux on his computer something strange happened: he couldn’t use Korean websites.

“Basically I couldn’t do anything,” said Kim, the founder of OpenWeb, an organization dedicated to expanding web accessibility in Korea. “Pages were not adequately displayed on the screen, links didn’t work, menus didn’t work. Nothing worked.”

Kim had discovered a glitch in an otherwise perfect system: for all intents and purposes, South Korea had become a slave to Internet Explorer and, by extension, Microsoft. It’s a problem that Kim believes is rooted in pride; pride that has had damaging effects to Korea’s Internet culture.

At the end of the 1990s, Korea developed its own encryption technology, SEED, with the aim of securing e-commerce. Users must supply a digital certificate, protected by a personal password, for any online transaction in order to prove their identity. For Web sites to be able to verify the certificates, the technology requires users to install a Microsoft ActiveX plug-in.

“The Korean government took a great deal of pride in that breakthrough security technology,” Kim said. “They wanted it to be widely used in Korea.” But ActiveX drew a lot of criticism in the international community.

Park Hun-myoung, a professor of public management and policy analysis at the International University of Japan, says that ActiveX plug-ins consume computing resources, often conflict with each other and contribute to bad computing practices by teaching users to always click “OK” on command prompts.

Despite these criticisms, the Financial Supervisory Service mandated the use of SEED, ActiveX and digital security certificates. The certificates have to come from a government-approved certificate authority, a for-profit organization that sells digital certificates and security software.

But mandating the technology had a host of side effects that, according to Kim, the FSS either largely ignored or didn’t predict.

It forced consumers to use Internet Explorer because it was the only browser ActiveX plug-ins were compatible with. By default, Web developers optimized not only banking and shopping Web sites for Internet Explorer, but all Web sites. For developers, this just seemed logical.

The result has been a decade-long monopoly in the Korean market, where virtually all Korean Web sites are optimized for Internet Explorer.

Reports from Internet Trend show that between 2004 and 2009, Internet Explorer commanded 99 percent of the browser market. While that number has been declining, statistics from February 2012 still showed Internet Explorer had an 87.75 percent share compared to less than half of the market share worldwide.

It was this monopoly that inspired Kim to start OpenWeb and ultimately sue the Korean Financial Telecommunications and Clearings Institute, one of the largest certificate authorities in Korea.

“We argued that because these certificate authorities were sponsored by the government, they were a semi-public service,” Kim said. “We felt this meant they should be providing service not only to users of Internet Explorer.”

OpenWeb lost the case but the media attention swung in the organization’s favor.

“Since that time, many Web sites and service providers rapidly improved,” said Kim. “Web site coders and designers became aware of the issue. Until that time, they weren’t even really aware.”

The shift in Korea’s Internet culture eventually grabbed the government’s attention. A bylaw was created that said government Web sites must accommodate at least three different Web browsers and in 2010 they withdrew the mandate governing the use of ActiveX plug-ins.

But there was a catch.

If a company wants to stop using ActiveX plug-ins, it has to use an alternative technology that offers the same level of insurance. To get approval to use such a technology, they have to get approval from a government appraisal committee. The committee was formed over a year ago and has yet to make a single approval.

Even with some of the regulations lifted, there has been little change in Korea’s Internet culture and it doesn’t bode well for future business in Korea.

“Local banking and payment industries cannot venture into the limitless possibilities of other forms of financial services,” Kim said.

Local security services have also been severely hampered. There haven’t been any upgrades since the end of the 1990s and no other security concepts have had a chance to enter the market, Kim said.

With all these complications, he sees huge road blocks for small Internet start-ups.

“If people are thinking of opening up some service ultimately connected to payment they really have no chance in Korea,” Kim said. “They are stuck in the payment stage and even if they could make it in Korea, they’d have little hope in an international market.”

Even the certificate authorities have acknowledged the need for some change.

“Sticking to one browser is not good,” said one KFTC representative, who asked that his name be withheld. “The Web needs variety, and all Web sites want that.”

But Kim predicts that any changes will be slow.

“There’s a big gap between legislation and implementation,” he said. “Adoption of new standards is going to be a slow process.”

In the meantime, Korea’s e-commerce and Internet culture will continue to suffer the consequences of outdated security standards. 

(Yonhap News)