Lights Going Out for Korean, Asian Online Monoculture

South Korea is one of the most Internet-wired countries, and also bases much of its economy on the latest technologies. However, approximately 99 percent of the country is completely reliant on a decade-old bit of software that is beginning to seriously hold the country’s Internet culture back. Internet Explorer 6 (IE 6), released in 2001, is a requirement for doing anything with a Korean bank, online shopping mall or social networking site. However, the ancient technology is also a rusty sieve, and an Internet hacker’s dream of un-patched security vulnerabilities. It must die.

IE 6 will also soon stop being supported by Microsoft when the company drops support for Windows XP, which means that the browser’s problems will never be fixed. Google Docs and YouTube officially stopped supporting IE 6 in March of this year, and it is expected that other sites will soon follow. Some, such as Facebook and Digg, have been advising users to upgrade since early 2009. Microsoft itself has said that IE 6 should be dead and gone, and has supported efforts to upgrade to Internet Explorer 8. This leaves Korea with the prospect of being left behind, in the technological Internet back room, with the lights soon to go out.

But it is not just Korea that has this problem. IE 6 is still the most popular browser in China, India, other countries in Asia, and most of Africa as well. In China, the country’s Green Dam censorship software only censors web sites accessed with IE 6. China’s banking and online shopping sites also have the same ActiveX lockin problems that Korea does. In India, IE 6 numbers are dropping steadily in favor of Firefox and Google Chrome, but they have not yet reached a majority.

Ancient History

In Korea, it all started in 1998 – ancient history in the Internet Age. The 128-bit SSL protocol had been banned from being exported out of the United States and was not available until December 1999. The only other SSL encryption option was a 40-bit protocol, but South Korean legislation did not allow it. Because the demand for 128-bit encryption was so strong, the Korean Information Security Agency funded development of a block cipher called SEED . The only way to ensure that client computers would support SEED encryption was to force them to download a SEED plugin, in either ActiveX control form for IE users, or NSplugin form for Netscape Navigator users. These plugins required a certificate issued by a Korean government authority. When Netscape declined in popularity, the ActiveX plugin for security became the only way for Korean Internet users to use encryption. And by the time 128-bit SSL encryption was cleared for export outside of the United States, Korean companies had already standardized everything based on their unique SEED cipher. SEED and government- issued security certificates are still in use today, and of course only in Korea.

Outside of Korea, IE 6 has been becoming less popular. In the United States, it is used less than 10 percent of the time now. However, its global average is 20 percent, because it is used much more often in Asia. In China alone, the decade-old browser has a 50 percent market share. The market share of all version of IE in Korea is even higher, at 99 percent. But outside of Asia, in 2010, many Internet users are actively looking forward to the death of IE 6. A Denver-based company called Aten Design Group has created a web site ie6funeral.com to celebrate the imminent death of the browser. The web site stated that the browser died of a workplace injury at Google headquarters, and announced a date and time for the funeral. Web developers have long disliked IE 6 because of its peculiarities in interpreting HT ML and CSS commands.

Unfixable Flaws

What’s so bad about IE 6 anyway? The problem is ActiveX. ActiveX is a set of commands that IE 6 accepts which allow web pages to interact with normal executable programs on a computer’s machine. The protocol is designed to allow web pages to do more than HT ML allows. Unfortunately, this “do more” functionality includes hundreds of things that malicious web site creators can use to introduce viruses to computers that visit their web pages, and has been a constant source of problems for literally hundreds of millions of people.

ActiveX has been widely criticized in security circles since its inception, and hundreds of vulnerabilities using it have been found in the 10 years since IE 6 was released. Many of them have been patched, but according to the security company Secunia, IE 6 still has 24 known, un-patched vulnerabilities. The specific vulnerabilities are all closely related, and can be summarized as ActiveX having too much power. Using ActiveX, a web site designer can make all visitors to its web site automatically download and run any executable file. This means that the web site designer is completely in control of a visitor’s computer. IE 7 and 8 changed ActiveX to make them safer. They required user agreement before the files would be downloaded and run. This is marginally safer, but it initially broke the functionality of many Korean web sites. Over the past few years, most of them have become compatible with IE 7, but it has been a slow process.

Hackers used security vulnerabilities in IE 6 during two famous cyber attacks in 2009. The first was a massive distributed denial-of-service attack against Korean and U.S. government and financial web sites, which was executed by an army of compromised computer systems. Most of the systems involved in the attack were located in South Korea, and the systems were compromised using a vulnerability in IE 6 and a popular file-distribution system, WebHard, which is dependent on ActiveX controls. Despite the press generated by the attack, no lasting damage occurred other than some companies being forced to take down their web sites for a few days.

The second attack in December 2009 was much more malicious. It is suspected that China-based hackers exploited a flaw in IE 6 and Adobe Acrobat documents to steal proprietary information from dozens of international companies working in China, including Google. Also, the flaws were used to target emails of human rights activists inside and outside of China. Google issued a statement letting the cat out of the bag and other companies followed suit, admitting that their computer systems had also been compromised. Google also said in the same statement that it was no longer willing to cooperate with the Chinese government in censorship of its search engine within China because of those attacks, although that issue is still up in the air.

IE 6 has also always had problems with rendering HT ML in a standards-compliant way. It only ever partially supported CSS 1.0, which means that web sites have always looked different in IE 6 and other web browsers. Web developers have either adapted to write difficult and hard-to-understand fixes for IE 6 peculiarities, or have given up supporting other platforms and written all of their web designs for IE 6 only. The browser also does not support the partial transparency of the PNG image format, hampering its growth and popularity in web design. The browser is also notoriously unstable. Single lines of HT ML code inserted in a web site can cause it to crash, and have been well documented.

March of Progress

Until recently, these problems have been overlooked or tolerated in the Korean Internet world. IE 6, 7, and 8 were all free, and they worked perfectly fine for most people. The fact that many Korean computer users were familiar with the inevitable degradation of a computer system, which led to an unavoidable reinstall of the OS was shocking to outside observers such as this reporter, but it is par for the course. The dissatisfaction started when the iPhone was finally cleared for sale by Korean government regulations. Korea Telecom has sold more than 200,000 iPhones since the end of November 2009. Savvy Korean technology users began complaining that their banking services did not include iPhone support, due to the culture of relying on ActiveX for security. This reliance is mandated by the Financial Supervisory Service’s (FSS ) guidelines for financial services provided on smartphones, which decided in January of this year to subject smart phone financial services to the same regulations that govern online transactions on personal computers. This means public key certificates issued by the government. And that means ActiveX. The iPhone simply does not support ActiveX, or IE at all. It uses the Safari web browser.

The growing popularity of other web browsers such as Safari, Chrome and Firefox is another trend that cannot be ignored. Each of the browsers has advantages and disadvantages, but they all have one thing that IE 6 does not – full support for all the latest web standards. Making a web site using strict web standards is something that works great in theory, and in the other three browsers, but not IE 6. Also, the newest version of HT ML, HT ML5, will eventually come out. The particulars of the language are being worked out now, and it is already partially supported by Safari, Chrome and Firefox. The language is expected to enter “recommendation” stage in 2012. There is absolutely no chance that IE 6 will be able to support HT ML5. The only IE -based browser that will do so will be Internet Explorer 9.

Korea Must Upgrade

In this case the solution is simple and clear. Korea’s various financial institutions, online marketplaces, social networks and government agencies must upgrade to browser-independent solutions for their various online offerings. But it is easier said than done. The reason that they do not do so already is because government regulations require that they support ActiveX. This is a bureaucracy problem.

The Korean government, in its many different ministry incarnations, has done a lot to help the hardware technology industry for the last 40 years. It can arguably be said that the Korean government built its high-tech hardware industry from the ground up, practically forcing companies like Samsung and LG to stop producing non-technologyrelated goods and making them make radios with the threat of large fines. Later, it was TVs, then computer components. In this hardware industry, the heavy hand of government had been exactly what was required.

But in the software industry, or the Internet, the heavy hand of government has only been keeping the country back. There is very little Internet innovation within Korea. In fact, most Internet-related startups in Korea look overseas for both their users and their inspiration. Korea’s Internet culture is trapped by government bureaucracy. It is trapped in the last decade, at the mercy of even the least skilled hackers and the most powerful viruses. It is trapped away from innovative paths of development, by outdated regulations and outmoded forms of security. In the case of the Internet, the Korean government should simply step back and let it evolve on its own. Internet trends are just too fast to regulate, and any attempt will simply stifle the development to the detriment of the countries involved.

This is not going to be easy, but the first cracks have already been created. The Korean government regulations for smart phones to include an outdated Wireless Internet Platform for Interoperability (WIPI ) functionality that is only required in Korea were bent in order to let the iPhone into the country, and the result was 200,000 smartphones free from outdated government requirements. There will be a second crack in the bureaucracy, and then more and more. No one knows how much new technology it will take to push Korea, kicking and screaming, into the 21st century, but the new technology is not letting up. Eventually they will have to cave.