LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

they use a non-standard encryption algorithm, so what?

they use a non-standard encryption algorithm, so what?

Posted Jan 26, 2007 19:27 UTC (Fri) by khim (guest, #9252)
In reply to: they use a non-standard encryption algorithm, so what? by stevenj
Parent article: The cost of monoculture (Gen Kanai)

It does not matter if specification is open or closed. What does matter is that it's not embedded in MS IE - and MS IE is market leader. Thus banks are using Active X. If they are using Active X is does not matter anymore what this Active X does: it's only compatible with MS IE so all other browsers (including Firefox with SEED patch) are cut off.

(Log in to post comments)

they use a non-standard encryption algorithm, so what?

Posted Jan 26, 2007 20:31 UTC (Fri) by stevenj (guest, #421) [Link]

But if you know the encryption protocol, how hard could it be to spoof the Active X control? Not trivial, certainly, but I would have thought that this would have been priority numero uno for every hacker in South Korea for nearly a decade now.

they use a non-standard encryption algorithm, so what?

Posted Jan 26, 2007 21:30 UTC (Fri) by Los__D (subscriber, #15263) [Link]

It's bank software, it's probably both near-impossible and highly illegal to "spoof"...

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 1:21 UTC (Sat) by stevenj (guest, #421) [Link]

Why? I'm not suggesting hacking into the bank, or running anything on the bank's computers. Everything is on the client side; it's just a matter of talking to the bank computers using the correct protocol.

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 1:30 UTC (Sat) by Los__D (subscriber, #15263) [Link]

AFAIK (I'm no expert though), ActiveX objects are signed, so that you can't spoof them (to the client). Banks would probably use the same technique the other way around, so that they know the object is really theirs. Breaking that would probably be very hard, and legally amount to hacking. In the US at least it would be a DMCA violation, here in Denmark, and most of EU, we have something similar,

I have no idea what the rules are in South Korea, but I have this feeling, you know ;)

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 3:31 UTC (Sat) by stevenj (guest, #421) [Link]

Signing an ActiveX object can only authenticate it to the client, not to the server, since it is not running on the server. The only way the server could use digital signatures to force a specific client binary, as opposed to specific client algorithms, would maybe be to use some sort of "trusted computing" where the client doesn't control their own hardware, and even that is dicey. Think about it.

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 10:10 UTC (Sat) by Los__D (subscriber, #15263) [Link]

Hmmmm, maybe you are right, unless there's a way to hide a key inside the ActiveX object, to encrypt the messages to the bank (on top of the SEED).

And they probably doesn't care THAT much, as long as the server can authenticate the user, then I guess it's all good.

they use a non-standard encryption algorithm, so what?

Posted Jan 28, 2007 9:15 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Sure, doing what you propose is...

* Possible, but...
* Difficult and thus expensive/ time consuming, perhaps hundreds of man months of labour to achieve nothing of consequence because it is...
* Fragile, since the non-standard higher level protocols can be changed at any time and for any reason by the banks in their proprietary code, and..
* Most likely illegal or at least grounds for having your account frozen due to its potential to interfere with the normal operations of the bank

they use a non-standard encryption algorithm, so what?

Posted Jan 26, 2007 21:47 UTC (Fri) by ajross (subscriber, #4563) [Link]

Yes, but none of that would make the web page work in a user's non-standard browser, which is the issue at hand here. Your point is analagous to arguing that IE-only websites aren't a problem because HTTP is an open standard.

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 1:37 UTC (Sat) by stevenj (guest, #421) [Link]

I think people need to keep better hold of their jerking knees...

I didn't say it wasn't a problem; it is a tremendous annoyance, and egregiously stupid. What it should not be, however, is the situation described in the article—something that absolutely prevents online transactions by non-IE users. As I said, I don't understand why this wasn't hacked around years ago (perfectly legally), even if it would obviously be better for Korea to switch to a standard protocol. What am I missing?

Think about people using Microsoft file-sharing protocols or Microsoft document formats. Are these tremendous annoyances? Yes. Is it crazy for goverments to standardize on these things? No question. Does it absolutely prevent GNU/Linux users from communicating with Windows users? Hardly, thanks to Samba and OpenOffice.org...and they had the much harder task of reverse-engineering a proprietary, vendor-specific protocol that is constantly changing, whereas here we have an open, fixed, government-provided specification (just different from the rest of the world).

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 4:29 UTC (Sat) by k8to (subscriber, #15413) [Link]

Maybe it doesn't end up being a single hack, but an ongoing maintenance nightmare to make the thing work across the various implementations and quirks of all the different agencies. Maybe to make things work properly you need to implement IE bevaior quirks, spoof multiple revisions of the ActiveX plugin behavior, and write an ActionScript layer or whatever the microsoft ECMA thingy is called.

At least, that's what I would expect the situation to look like, given so wide use of such tools.

If true, it's not just a simple matter of code, it's coding and testing with a very long list of things to verify. Still doable, but perhaps daunting enough to get traction from starting. And if the society is sort of "use windows or go away", there may not be a necessary seed group of people motivated to defeat the system.

s/ActiveX/SMB/

Posted Jan 29, 2007 23:25 UTC (Mon) by GreyWizard (subscriber, #1026) [Link]

Which of these statements would NOT apply to the situation with SMB and Samba?

they use a non-standard encryption algorithm, so what?

Posted Jan 28, 2007 14:53 UTC (Sun) by gnb (subscriber, #5132) [Link]

The "perfectly legally" bit of your comment is the problem. It _might_ be
legal to reverse engineer the protocol (or not, I know nothing about
Korean law) but if the bank tells customers to access the web site using
the ActiveX control supplied then it's almost certainly a breach of their
terms and conditions to use something else. Which is inviting far more
grief than most people will want. The fact that it's technically possible
isn't really much help.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds