09
May 10

Korea: 1995 -> 2010

Last week I had the opportunity to travel to Korea to speak at a short conference regarding the unique Korean authentication requirements for banks and e-commerce. The rules originated in the mid 90′s, in response to a perceived lack of finalized standards around SSL and US crypto export restrictions. It mandated the use of the proprietary 128bit cypher SEED (http://en.wikipedia.org/wiki/SEED) implemented in the form of plugins and ActiveX controls, along with client certificates for authentication.

Today this has resulted in a system that largely ignores HTTPS and relies on user authentication, channel encryption and transaction signing via proprietary ActiveX controls (plugins equivalents fell out of favor after Netscape lost the browser war, though there has been some increasing interest in them lately). This model implies some serious usability issues, namely that users are reduced to Windows and IE as the only viable platform for serious web browsing. Not just IE, but often older versions of IE since many of these ActiveX controls don’t support newer versions of IE and Windows. The irony is that one of the most technologically advanced free societies is forced to use the worst possible browser from a general usability and security standpoint. Mobile devices generally also don’t support this model either, although banks are now starting to build dedicated apps for more popular devices.

This also has some unfortunate security implications. While the model may have seemed reasonable given the crypto restrictions and threat models of the mid-90s, and even advanced in many respects, the end result of its struggle to keep up with the evolving web threat model has been an odd Rube Goldberg-esqe system of part time anti-malware, anti-keylogging, and excessive faith in the strength of client certificates as a non-repudiation mechanism.

The reality of the model is that, since the HTML interface is delivered over HTTP, any man-in-the-middle (MITM) attacker can inject their own HTML or JavaScript into the content, to then display their own dialogs to the user, prompt to install a malicious ActiveX control or prevent the intended ones from running. Or just hang out quietly and steal any information the user sees via HTML, which includes information like bank accounts, balances, transaction history, etc. The user has no way of detecting that this has happened, nor can they do anything to prevent it.

The recent Korean launch and popularity of foreign mobile devices has driven a lot of interest in alternative browsers and platforms, and it turns out that the Korean people are already well aware of the usability and choice penalties imposed by the current model. So my talk focused primarily on the security shortcomings of the current model, and especially entire parts of the threat model that are not being addressed, such as content integrity and confidentiality.

The subsequent coverage was quite positive, though the only English-language article I’m aware of is here: http://www.koreatimes.co.kr/www/news/biz/2010/04/123_65102.html

My presentation is available here: https://wiki.mozilla.org/images/6/61/Korea.pdf
Also presented was a paper by two young researchers from Oxford, that goes into more technical detail: http://www.comlab.ox.ac.uk/publications/publication3442-abstract.html

For some excellent background on this topic, check out:
Gen Kanai’s blog – http://blog.mozilla.org/gen/category/korea/
Channy Yun’s article – http://webstandards.or.kr/2007/03/17/korean-home-brew-on-the-web/