Korea Paying Price for Microsoft Monoculture

By Kim Tong-hyung
Staff Reporter

South Korea touts itself as the planet's leading broadband Internet nation. Skeptics, however, would argue that the country's computing experience is outdated by nearly a decade.

Of course, only a few countries can compete with Korea in high-speed Internet penetration, which is inching toward the mid-90s percentage-wise, or new products and leapfrogging technologies pushed out in waves seemingly every quarter.

But the land of ubiquitous broadband, feature-happy ``smart'' phones and ultra-cool computing devices doubles as a crusty regime where Linux, Firefox, Chrome and Opera users can't bank or purchase products online, and where Mac users buy Windows CDs to prevent their devices being reduced to fashion items.

The bizarre coexistence of advanced hardware and an outdated user environment is a result of the country's overreliance on the technology of Microsoft, the U.S. software giant that owns the Korean computing experience like a fat kid does a cookie jar.

It is estimated that around 99 percent of Korean computers run on Microsoft's Windows operating system, and a similar rate of Internet users rely on the company's Internet Explorer (IE) Web browser to connect to cyberspace.

Critics say the country would end up paying dearly for allowing a Microsoft monoculture to take hold, with consumers deprived of the freedom to choose newer and better products and the Web industry seeing its innovation compromised.

``Korea has a lot of talented people in its Internet industry, and they have been promoting great ideas and producing great Web sites, but many of these people are now fed up over problems like Active-X and all that,'' said Victor Ching, a Korean-American entrepreneur who is now in Korea operating a Web site, PUMPL (www.pumpl.com), with his business partner Brian Lee.

``These people have the potential to do great things, but it seems that the industry is being held back by a few issues.''

Obviously, the biggest problem is that virtually all encrypted online communications in Korea, such as online banking and e-commerce transactions, have been made to rely on Active-X controls. The Microsoft-developed tool, introduced in 1996, is designed only to work on IE and is the key reason the browser cemented its dominance here.

However, the country's dependence on Active-X is unique, as security concerns have limited the deployment of the technology elsewhere.

Instead of a security-based model, Active-X relies on signatures to allow users to judge whether to download an Active-X control. This is a risky arrangement, since Active-X controls require full access to the Windows operating system and are often abused by cyber criminals who spread malicious programs to direct the browser to download files that compromise the user's control of the computer.

Even Microsoft seems ready to bail on Active-X, looking to phase out the program over security concerns and compatibility issues. However, in Korea, where most Web sites rely on Active-X to enable a variety of functions from online transactions to simple flash features, the program is abundant and critical as air.

This leads to awkwardness whenever Microsoft introduces a new product here. The release of Windows Vista caused massive disruption when Active-X used by banks and online shopping sites didn't function properly.

And the Korean Internet users sweated over Microsoft's initial plans to reduce its support for Active-X in IE8, the latest version of the company's Web browser. Although IE8 did end up backing Active-X, strengthened security features have made its use more complicated.

The reliance on Active-X has locked Korean computer users into a depressing cycle where they are prevented from venturing off to other operating systems and browsers, and stuck with an outdated technologies their creator can't wait to dispel.

``There are much better technologies out there, but Active-X has left us stuck at Windows XP and IE6,'' said Channy Yun, an official from Daum (www.daum.net), the country's second-largest Web portal, and also the local leader of the Mozilla foundation, a non-profit organization promoting the Firefox Web browser.

``You can't convince users here to try other non-Microsoft browsers when they are useless in encrypted communications. This is not a good situation for Microsoft as well, as the Koreans are clinging to the old version of its products and shudder at the thought of moving to new ones.''

Active-X usage became a hot topic again in July when a massive Internet attack left more than 80,000 Korean computers crippled. It was pointed out that Active-X provided an easy route for cyber criminals spreading the malware for the distributed denial of service (DDoS) attacks.

Policymakers and experts debated in length over ways to strengthen the defenses, but came only to the conclusion that it would be best for individual users to update their security software. Ironically, much of these programs provided by online security companies like AhnLab are distributed through Active-X.

Stuck on Windows XP, IE6

Another problem with Active-X is that it is prolonging the life of IE6, the sixth revision of Microsoft's Web browser that was introduced in 2001. The antiquated browser doesn't support key Web standards, which makes it difficult for developers to design more sophisticated Web pages that are compatible with other browsers.

This has prompted major Web sites such as YouTube, Facebook and Twitter to urge their users to ditch the aged application. And according to Net Applications, a Web metrics company, IE6 is clearly on its way out, accounting for less than 25 percent of the world's browser market as of August.

However, the IE6 share in Korea is close to 60 percent, according to local Web analytics firm, Internet Trend, as companies are reluctant to go through the trouble to test and reprogram their Active-X entangled Web pages for newer browsers. So it's easy to imagine Korean users waking up one day and experiencing difficulties in watching YouTube videos.

During the creation of the PUMPL, Ching and Lee encountered numerous delays to make their site compatible to IE6, and this led them to become the Korean representatives of the worldwide ``IE6 No More'' campaign.

They have gathered more than 1,000 signatures on their Web site, IE6 No More Korea (www.ie6nomore.kr), launched earlier this month, and the goal is to get 1 million.

``Making our Web site IE6 compatible added about 20 percent to the development time. And there are limitations to what you can do on IE6 … for example, the IE6 doesn't support PNG image files that are used for making transparent backgrounds,'' Ching said.

``The matter depends on whether we will settle for dominating the Korean market or spread ourselves abroad too. The biggest developer tools now are HTML5 and CSS3, and these technologies will take Web sites abroad to the next level, while Koreans wouldn't be able to even see them. It really doesn't make sense.''

The Korean reliance on Active-X dates back to 1998, when the country announced its own national encryption system, SEED, a block cipher that is used in place of SSL. SEED was created because policymakers didn't consider the 40-bit SSL stable enough to protect online transactions, and the 128-bit SSL protocol had yet to arrive.

Korean users downloaded the SEED plug-ins to their IE or Netscape browsers, through Active-X and NSplugin, but the fall of Netscape had Active-X remaining as the only method to do any encrypted communications online.

Over the past few years, a dedicated group of industry experts have been urging the government and financial service companies that there should be other ways to secure online transactions.

One of them is Korea University's Kim Ki-chang, who is pursuing his third lawsuit against the Korea Financial Telecommunications and Clearing Institute (KFTC) for overwhelming Active-X use after failing on the first two tries.

However, Yun, who worked as technology advisor for Kim during the legal efforts, said that things are becoming more complicated.

``The country had a chance to solve this problem around 2002 and 2003, when we first rallied against the Active-X problem, as the matter was then only about public-key certificates,'' Yun said.

``Now, the use of Active-X has become much broader, not only used for issuing public-key certificates, but also keyboard security programs, computer vaccines and a variety of online transactions programs. Whenever security issues or other problems related to Active-X controls arose, the companies operating the Web sites developed another Active-X solution to cover it, and now that so many programs rely on Active-X, we don't know where to start.''

After neglecting the issue for years, the government is finally becoming serious about promoting the diversity of browsers, with the Ministry of Public Administration and Security announced plans to reprogram the country's e-government sites to have them work properly on non-Microsoft browsers.

However, Yun believes that financial service providers such as banks and credit card companies, not policymakers or the Web industry, hold the key to breaking the Active-X chokehold.

He also called for the rewriting of the country's regulations on online transactions that require the use of electronic signatures based on public-key certificates, and claimed that more verification methods should be recognized.

An idea is the use of one-time-passwords (OTPs), or passwords that are only valid for a single log-in session or transaction, which could be provided on paper, electronic tokens or through mobile-phone text messages. Yun said a local bank is currently working with the Mozilla foundation to develop OTP-based online banking service for Firefox users, although actual deployment of the service has yet to be decided.

The question is whether banks and credit card companies would risk tweaking the security settings of their online services when the market share of non-Microsoft browsers is less than 1 percent.

Shinhan Bank provides an online banking program for Apple Macintosh users, but it is not accessible through Web browsers. And among the online shopping sites, only Gmarket has shown an interest, allowing transactions on non-Microsoft browsers.

``The financial service companies and e-commerce firms already have the technology to provide transactions without public-key certificates, as seen by the way they handle mobile-phone-based purchases. The law already grants `exceptions,' which allow other verification methods to be used when public-key certificates aren't available, so the companies can certainly provide alternatives,'' Yun said.

``However, it is a matter of whether the companies are willing to be more responsible for the security of online transactions, or rather continue to develop new Active-X plug-ins whenever a new problem emerges. It's hard to imagine that the Microsoft monoculture could be challenged here, but users of non-Microsoft browsers should have other options.''

thkim@koreatimes.co.kr