Can Korea successfully ditch ActiveX once and for all?

Tech July 17, 2017 20:59

By SOHN JI-YOUNG
THE KOREA HERALD
ASIA NEWS NETWORK
SEOUL

DESPITE being known for cutting-edge tech hardware, South Korea has long been held back in the area of software by an outdated security requirement that almost every user loves to hate - ActiveX plug-ins.



Like the previous administration, Korea's new President Moon Jae-in has pledged to abolish ActiveX downloads from all government websites to improve user convenience and catch up with global cybersecurity standards. But the solution proposed by the government - EXE extensions - is a similar system that fails to address many of ActiveX's flaws.

Developed by Microsoft in 1996, ActiveX plug-ins are security software that only run on Internet Explorer. Due to security flaws, it has long been phased out overseas, with even its creator removing ActiveX from its current browser Edge. In 1999, the government passed a law requiring all online shoppers to install ActiveX plug-ins, as well as state-issued "digital certificates" - also considered a nuisance in Korea - as proof of ID.

This decades-old system has endured to this day, largely because the government, major banks and credit card companies have continually built their services based on the ActiveX software. The move has effectively tied Korea with Internet Explorer, a browser that has fallen out of fashion to the extent that it is not available on many operating systems. 

For years, Koreans have complained that ActiveX and the additional cybersecurity programs that must be installed to compensate for security flaws, make online banking, shopping and accessing government services on the web a cumbersome process.

Last week, the State Affairs Planning Advisory Committee, the Moon administration's de facto transition team, announced that it would "eradicate ActiveX plug-ins from all government-run websites by 2020."

Likewise, the Ministry of Science, ICT and Future Planning and the Korea Internet and Security Agency have said they would remove ActiveX from the country's 100 most popular websites operated by private companies by the end of this year.

However, whether the problems associated with ActiveX and its barrage of add-ons will truly disappear remains unclear. That's because the EXE extensions the government plans to replace them with have many similarities to the existing system.

While pledging to fully eradicate ActiveX from government websites by 2020, the Korean government has also said it will apply EXE files - executable file extensions used to install additional programs on Windows - in cases where ActiveX cannot be fully removed.

EXE extensions are an improvement from ActiveX in that they can run on other web browsers like Google's Chrome and Firefox, in addition to IE. However, they also require installation by users, similar to ActiveX, fuelling criticism that EXE will be no different from the ActiveX system.

Online critics and commentators have argued that the adoption of EXE will once again trap Koreans in a so-called "plug-in prison" highly reminiscent of ActiveX. 

"What we are asking for is removal of ActiveX and all the cumbersome processes related to it. Replacing ActiveX with EXE is far from reform that improves user convenience. Why doesn't the government get it?" wrote one online commentator.

The main proposed alternative has been to push for the adoption of the globally used HTML5 standard, under which encryption software can be built in for security without the need for extra plug-ins. It is under this standard that one can make payments on global e-commerce websites like Amazon and eBay by using just a username, card number and password.

But Internet system experts say a wholesale switch to HTML5 could bring problems of its own, making provision of some services difficult. 

"Some suggest that the government must also eradicate EXEs and completely overhaul its current cybersecurity and authentication system," said Choi Young-jun, manager of the Internet infrastructure team at KISA.