In this blog post, we will examine the reasons why South Korea still adheres to outdated public certification certificates and the problems that arise from this.
With the rapid development of the Internet, it has become impossible to live without it these days. We can quickly obtain the information we want and enjoy a wide variety of entertainment. In particular, the Internet has greatly contributed to changes in consumer culture, and it has been quite some time since we could shop without leaving the house, with goods delivered to our doorstep with just a few clicks. There is no doubt that it has become very convenient, but when you actually try to shop online, there are many inconveniences. When shopping online, you have to install various programs and, in the end, you need to verify your identity through a public certification system. This is really troublesome and annoying when shopping at multiple sites, but users have no choice but to use the system because transactions are not possible without public certification. It would be fine if the public certificate, which requires several complicated steps, were secure, but it has been found to be outdated and vulnerable to security breaches. Why has South Korea, an IT powerhouse, continued to use public certificates for decades when there are so few advantages to them?
A public certificate is electronic information issued by a public certification authority for the purpose of identifying users in e-commerce, preventing document forgery and alteration, and preventing denial of transactions. It is a type of seal certificate for cyber transactions. About 15 years ago, as the Internet penetration rate in Korea increased dramatically and financial transactions such as Internet banking began to flourish, security became necessary. At that time, almost all PCs used Microsoft Windows as their operating system, and it was no exaggeration to say that Internet Explorer was the standard web browser. The problem was that the security algorithms used at the time, Korea’s own encryption algorithms (SEED and ARIA), were not supported by Internet Explorer. Therefore, as a last resort, a program called Active X was introduced to enable the algorithm to be implemented in Internet Explorer. Since 2003, the use of public certificates has been required by law for all electronic financial transactions.
Active X seemed like an innovative solution at first, but its limitations became apparent over time. Compatibility issues with the latest browsers, cumbersome installation processes, and security vulnerabilities are causing inconvenience to users. Now is the time to introduce new technologies and methods.
IT technology is changing day by day, but public certificates are still used as our security system. There are three main reasons why public certificates are becoming obsolete. First, public certificates are Active X-based, so they only work with Internet Explorer. Of course, when the public certificate system was introduced, Microsoft’s policy of bundling Internet Explorer with its products meant that almost all users were using Internet Explorer, so this was not a major problem, but now it is very inconvenient for people who use other web browsers. According to statistics from StatCounter, in July 2013, Internet Explorer users in Korea accounted for 72.76% of the market, while Chrome accounted for 21.22% and Firefox accounted for 2.9%. Despite the fact that Internet Explorer does not have any advantages that would allow it to dominate all other browsers, this result is due to the fact that many people continue to use it because Active X and public certificates only work on Internet Explorer. Globally, Chrome is the most widely used browser with 43.12%, followed by Internet Explorer with 24.53% and Firefox with 20.09%.
In reality, each browser has its own advantages, and it is right that people can choose the web browser that suits them best according to their personal preferences. However, the reality is that many people are forced to choose Internet Explorer because of the public certificate that only works on that browser. The second reason is the inconvenience of Active X. Although Active X is necessary due to the nature of public certificates, there are no standards for Active X.
Therefore, each site uses different Active X, so users must repeatedly install Active X. Furthermore, installation is not complete once it is done. During installation, the information previously entered is reset, and the screen returns to the initial screen, requiring users to re-enter all the information, which is an additional hassle. In some cases, if the installation is done incorrectly, the information is reset multiple times, causing consumers to waste time.
The third reason is the security vulnerability of public certificates. Nowadays, when surfing the Internet, even if you are not shopping, you will find that many websites require you to install Active X for specific tasks. Generally, when installing Active X, people tend to click “Yes” without thinking, and in most cases, it is harmless to the computer, but sometimes Active X may contain malicious code. When you install Active X, you give up some control over your computer, which lowers your security level and makes you a prime target for hackers. It is best not to install files requested by uncertified sites, but many internet users are unaware of this, which can lead to problems. Even if you are aware of this issue, there are many cases where you have no choice but to install Active X in order to use the site, so you end up installing it reluctantly. Even Microsoft has acknowledged the security vulnerabilities of Active X and is reducing support for Active X as Windows versions are upgraded. Furthermore, although public certification was a valid technology 15 years ago, it is now a technology that has fallen far behind international standards. On top of that, once the government made it mandatory by law, there was no longer any reason for innovation. With a handful of public certification authorities monopolizing the technology for over a decade, problems have accumulated, and development has come to a standstill.
Furthermore, the use of public certificates is not just a technical issue, but also an economic and social one. For example, small and medium-sized enterprises and startups incur high initial costs and spend a lot of time due to the complicated public certificate procedures. This ultimately acts as a barrier to innovation and growth.
Finally, there is the issue of responsibility that arises from the use of public certificates. Public certificates can be described as cyber seal certificates that contain electronic information used to verify the identity of individuals in e-commerce. In other words, they contain personal information and are therefore very important data, but they are currently stored on personal computers’ hard drives or USB drives for use. It is understandable that non-experts cannot be responsible for the security of their own computers. However, under the current public certification system, individuals are responsible for managing their own personal information, and if it is leaked due to a hacker attack, the responsibility lies entirely with the individual. I believe this is the biggest flaw of public certification certificates. From the perspective of banks, this system is very beneficial. Even if security is breached, they can shift the responsibility to their customers and do not have to provide any compensation. Banks are surely aware of the technical vulnerabilities of public certificates, but since they are already regulated by law, they do not need to develop new technologies. It is truly unfair to individuals. As anyone who has made overseas payments knows, foreign websites offer much simpler payment methods. Even without public certificates or Active X, payments can be made through simple methods such as email or SMS authentication. Major overseas institutions have a different approach to security issues. Although there is a risk that companies will have personal information in order to make payments, companies are competing to invest in security, and companies that do not have the financial resources to do so collect only a small amount of personal information. In Korea, companies shift the responsibility to users when an accident occurs, but in other countries, companies are responsible, which is why this type of system is possible.
Recently, the drama “My Love from the Star” became a huge hit in Korea and was successfully exported to China. As a result, Chinese consumers tried to purchase the costumes and other items worn by the characters in the drama from online shopping malls in Korea, but they were unable to make payments because they did not have a public certificate, which was a ridiculous situation. Only then did the president and other high-ranking government officials recognize the problem with public certificates and began efforts to revise the law to allow payments of less than 300,000 won to be made without a public certificate. It is sad that the problem of public certificates, which has been plaguing the internet in Korea, has resurfaced due to shopping issues faced by Chinese consumers.
The controversy over the abolition of public certification certificates has been going on for years, and the government is clearly aware of this issue. I do not think that the government is unable to abandon public certification certificates because there is no alternative. Rather, it is possible to think that the government is unable to abandon them because of the benefits it gains from the institutions that issue public certification certificates and the convenience it gains from the banking institutions. This is clearly an act of disregard for the people. It may be unreasonable to abolish the public certificate system without sufficient measures in place. However, looking at examples from other countries, it is clear that e-commerce is possible without public certificates, and there are even more convenient and secure methods. The government must abolish the public certificate system for the sake of the people of Korea, not for the sake of foreign users.
