Why has South Korea been stuck with ActiveX?

ActiveX is a legacy software framework created by Microsoft that adapts Object Linking and Embedding (OLE). Internet Explorer supports an ActiveX control, which is an add-on. When the browser tries to render a page with an ActiveX control, it asks a user for a permission to install the control. This ActiveX control can obtain an access to a user’s Windows, so it can install additional applications. Microsoft suggests that “it’s best to avoid using them if the webpage will work without them” because the access to the OS poses a security risk. Then, why is it so widely used in web applications in South Korea? The reason why they have been obsessively using the ActiveX control goes back to 16 years ago.

In July 1999, Financial Supervisory Service (FSS, 금융감독원) in South Korea pushed Digital Signature Act(전자서명법). By this act, a person who wants to use online financial services or online payment system must have a digital certificate (공인인증서) issued by a financial institution. This means that whenever you want to purchase something with your credit card or transfer money from your bank account on the Internet, you must have your digital certificate. It’s an authentication factor for proving that you’re a valid user of the system and you’re not a impostor. Also, you don’t have to visit a branch to get the certificate. No need for submitting your physical ID and your pin number as well when you make an online transaction.

Now you might think this is not a horrible idea. It sounds like having an extra layer for security. But think about when you send money on Venmo or buy something on Amazon. There is no such thing as a digital certificate that you must have it issued by Chase or Bank of America. It is because they use Secure Sockets Layer (SSL) to provide communications security over a network. SSL encrypts data allowing integrity and authentication of communication between you and Amazon. It was developed by Netscape. In fact, there were two versions of SSL: U.S. edition and international edition. The U.S. edition supported 128-bit secret key whereas the international edition supported 40-bit secret key. The problem is that 40-bit secret key is too weak to use for message encryption.

South Korea needed a better encryption than what the international edition supported, so Korea Internet & Security Agency (KISA, 한국인터넷진흥원) developed 128-bit block cipher called SEED in 1999. The development was necessary since there was a proliferation of personal computers and the internet network during that time all over South Korea. KISA chose ActiveX control to use their secure cipher on Internet Explorer, which was used by the most of internet users in Korea. Due to the number of users of Internet Explorer and the weakness of the international SSL, SEED became the standard in the same year it was developed. The prevalence of the ActiveX control started as FSS considered SEED to be the standard for deliberation on communication security. Since 128-bit SSL was not available when Digital Signature Act was enacted, SEED was chosen.

With SEED being the standard cipher and Digital Signature Act, the whole information technology in South Korea focused on web development with the ActiveX control. This led to mass-production of web developers fully acquainted with Microsoft’s technology. Since then, every web application for electronic government, banks, and online shopping used the ActiveX control. There was no problem with browser support because everyone used Internet Explorer. FSS or KISA probably didn’t have to consider implementing encryption with SSL when 128-bit SSL became the international standard. Web developers didn’t need to deprecate the use of ActiveX control since 99% of traffic came from Internet Explorer.

Now you can see that the laws and ecosystem in South Korea have incurred the wide use of the ActiveX control. The technology was introduced to provide communication security on the Internet. However, it made user experience so inconvenient as you need to go through extra steps to install programs and use your digital signature. Moreover, there were multiple security incidents where it was used to distribute malware. The government and companies, fortunately, have been trying to get rid of the ActiveX control since 2010. I think they were somewhat successful in their plans even though there are other technologies they still want to use with SSL (NPAPI is a popular choice but it’s also being phased out by Google). Earlier this year, in addition, the government announced that they will make 90% of the top 100 websites ActiveX-free by 2017. I hope this policy will remove ActiveX control soon without enforcing some other extra layers for the existing system.