This article discusses the inconveniences and problems of still using public certificates in the modern world of online shopping and financial transactions, highlighting their historical background, technical limitations, security vulnerabilities, and the need for alternatives.
With the rapid development of the Internet, we can’t live without it these days. We can get the information we want quickly, and there are various entertainment options. In particular, the Internet has contributed to the change in consumer culture, and it’s been quite a while since we’ve been able to shop from the comfort of our own homes and have items delivered to our doorsteps with just a few clicks. While this has certainly been very convenient, there are a number of inconveniences that come with shopping online. You’ll need to install new programs, and finally, you’ll need to authenticate with a public certificate. It’s really annoying and tiresome if you shop at multiple stores, but users can’t do anything about it because transactions are impossible without a public certificate. It would be great if public certificates were secure, but they are an outdated technology that has been proven to be insecure. Why has South Korea, an IT powerhouse, stuck with public certificates for decades?
A public certificate is an electronic information issued by an authorized certification authority for the purpose of verifying identity, preventing forgery and alteration of documents, and denial of transaction facts when conducting e-commerce, and is a kind of seal certificate for cyber transactions. About 15 years ago, as the Internet penetration rate in Korea increased dramatically and financial transactions such as Internet banking began to become more active, the need for security became necessary. At the time, almost all PCs were running Microsoft’s Windows, and Internet Explorer was the standard web browser. The problem was that the security algorithm used at the time, Korea’s own cryptographic algorithm (SEED, ARIA), was not supported by Internet Explorer, so a workaround was to bring in a program called Active X to implement the algorithm in Internet Explorer. Since 2003, all electronic financial transactions have been legally required to use public certificates.
While Active X seemed like a revolutionary solution at first, its limitations became apparent over time. Incompatibility with modern browsers, installation hassles, and security vulnerabilities have become a source of frustration for users. It’s time to move on to new technologies and methods.
IT technology is changing every day, but public certificates are still our current security system. There are three main reasons why public certificates are an obsolete technology. The first is that they are Active X-based, which means they only work with Internet Explorer. Of course, this wasn’t a big deal when the scheme was introduced because almost everyone was using Internet Explorer due to Microsoft’s Internet Explorer bundling policy, but for people using other web browsers today, it’s a huge hassle. According to StatCounter, in July 2013, 72.76% of users in South Korea used Internet Explorer, 21.22% used Chrome, and 2.9% used Firefox. This is despite the fact that Internet Explorer has no advantage over all other browsers, and many people just use it because of the Active X and public certificates that run only on Internet Explorer. Globally, Chrome is the most popular browser at 43.12%, followed by Internet Explorer at 24.53% and Firefox at 20.09%. In reality, each browser has its own advantages and it’s a matter of personal preference, but many people are forced to choose because of the public certificate that only works with Internet Explorer.
The second reason is the inconvenience of Active X. Although Active X is required by the nature of public certificates, there is no standard for Active X. As a result, each site uses a different Active X, and users have to repeat the process of installing Active X over and over again. In addition, it’s not just a clean install, but the installation process resets the information you’ve already entered and returns you to the previous screen, so you have to enter all the information again. Sometimes, if the installation is done incorrectly and the information is reset multiple times, the consumer is forced to spend a lot of time on it.
The third reason is the security vulnerabilities of public certificates. If you surf the internet these days, you’ll notice that there are a lot of sites that require you to install Active X for certain tasks, even if you’re not shopping. We usually click “yes” to install Active X, and while most of the time it’s harmless to your computer, sometimes Active X contains malware. Because you’re giving up some control of your computer when you install Active X, you’re also giving up some security, which can make you a prime target for hackers. It’s always a good idea to avoid installing files from unauthorized sources, but many internet users don’t realize this, which can be a problem. In fact, even if they are aware of the problem, they often cry and eat mustard because they can’t even use the site without installing Active X, which is why they install it anyway. Even Microsoft has acknowledged the security vulnerabilities of Active X and is reducing support for it with each new version of Windows. Also, while public certificates may have been a valid technology 15 years ago, they are now an outdated technology that is far from international standards. And when governments mandate them by law, there’s no longer any reason to innovate. A handful of certification authorities have had a monopoly on the technology for over a decade, and the problems pile up and there is no further progress.
Furthermore, the use of public certificates is not just a technical issue, but also an economic and social one. For example, for small and medium-sized enterprises and startups, the complexity of the certification process can be costly and time-consuming upfront. This in turn hinders innovation and growth.
Finally, there’s the issue of liability. A public certificate can be described as a cyber seal certificate that contains electronic information used to verify a person’s identity in e-commerce. It is a very important document because it contains personal information, and it is currently stored on a personal computer’s hard drive or USB drive. It is true and quite natural that non-professionals cannot be responsible for the security of their own computers. However, the current certification system requires you to manage your own personal information, and if it gets into the hands of hackers, the blame falls on the person who failed to manage it. I think this is the biggest blind spot of the certification system. From the bank’s point of view, it’s a great system. They don’t have to compensate customers for security breaches because they can blame it on their customers, not themselves. I’m sure banks are aware of the technical vulnerabilities of public certificates, but the law already regulates them, so they don’t have to develop new technologies. It’s really just the individuals who are being screwed. As anyone who’s ever made an international payment knows, it’s much simpler to pay on foreign sites. There’s no need for public certificates, Active X, or anything else, just simple verification via email or SMS. Major international organizations approach the issue of security differently. Although there is a risk that a company has personal information in order to make a payment, companies are willing to invest in security, and companies that cannot afford it are willing to accept little personal information. This type of system is possible because companies in Korea put the responsibility on the user when an accident occurs, but in other countries, the company takes the responsibility.
Recently, a drama called “You from the Stars” became very popular in Korea and successfully entered China. Therefore, Chinese consumers tried to buy clothes and other miscellaneous goods worn by the characters in the drama at domestic online shopping malls, but they were unable to pay because they did not have an authorized certificate. Now, senior government officials, including the president, have recognized the problem of authorized certificates and are trying to amend the law to allow shopping malls to accept payments within 300,000 won without an authorized certificate. It is sad that the issue of public certificates, which has been eating up the Internet in Korea, has reemerged because of the shopping problems of Chinese people.
There has been an ongoing debate about abolishing the certificate for years, and the government must be aware of the problem. I don’t think the government’s inability to abandon them is due to a lack of alternatives. Rather, it may be because of the benefits they receive from the organizations that issue them and the convenience they provide to banking institutions, which is a clear disregard for the people. It may be unreasonable to abolish the accreditation system without adequate measures in place. However, the evidence from other countries shows that e-commerce is not only possible without a public certificate, it is also easier and more secure. The government should abolish the public certificate system not only for the sake of foreign users, but also for the sake of Korean citizens.