Skip navigation.

ODIN Blog

Opera Developer Network

Banking, the ActiveX challenge

By Zi Bin, Cheah. Friday, 13. November 2009, 16:21:18

, , , ...

I was invited to speak to a group of developers at the China Bank of Communications. It was an opportunity to get to know how the IT side of the banking sector works, and to ask them “Why ActiveX”?

First, some background — most if not all Chinese banks use ActiveX for their customer banking, so without ActiveX you can’t do online banking in China. Similar issues are happening in South Korea and perhaps other places too. The ActiveX plugin is used to prevent the stealing of passwords by keylogger trojans.

After presenting, the discussion dived right into questions and answers; it was very stimulating and I learned a lot about the perspective of developers working with banks. During the discussion, the thousand dollar question was “If not ActiveX, then what?” I suggested three possible solutions:

  • First, if your bank insists on using plugins, then use the NPAPI plugin interface. NPAPI is arguably more secure than ActiveX because it is solely an Internet plugin, while ActiveX can also tinker with your operating system (for example components in Office applications). Opera, Safari and Firefox all support the NPAPI plugin.
  • If ActiveX is used only to prevent keyloggers, then another solution might be to only allow users to type their login credentials using a virtual keyboard. This could however be a bane for accessibility.
  • The third option is to drop plugins altogether and use a one-time password generator. This crossed my mind with banks in Norway which I am provided with a calculator (I use Nordea Bank). A one-time password calculator will not have the spillover security concerns of ActiveX.

Options above are used to prevent password-snatching while a user is typing in the login credentials - before he or she clicks on the login button which sends the login credentials through a HTTPS secure channel.

On the HTTPS side of things, using Extended Validation (EV) certificates will give bank users better assurance since EV certificates goes through a much more rigorous process before it is given out. Browsers with EV support display more information for EV certificates than for previous SSL certificates. IE8, Firefox, Safari, Google Chrome and Opera support Extended Validation.

During the discussion, I realized that many developers are sympathetic towards standards, including those implementing non-standard ActiveX. I used the word sympathetic because many developers I know are idealist and being idealists they want the world to be a better place. The world is a better place without non-standard code, but the reality is that developers earn their living through customers, and therefore maintaining the existing systems that they already use.

There is more than one way to solve the ActiveX dilemma in the banking industry. It’s a legacy issue, for sure, but maybe the real problem is resistance to change?

Note: The PDF version of the presentation can be downloaded here, entitled Web 2.0 and Web Standards.

4 comments

Standards.Next CSS3 event coming soon to the big apple

By David Storey. Wednesday, 11. November 2009, 12:08:28

, , , ...

With two successful Standards.Next events behind us, we are taking the show on the road to the Big Apple for an event focusing on CSS3. As always, the event is free and anyone can attend. Standards.Next CSS3 will take place on the 20th November at the Time-Life building in New York City. Time & Life Inc. have generously let us use one of there rooms for the day. Space will be limited so please register your interest on the events Upcoming page. If we reach capacity people will be admitted on a first come, first served basis, so please turn up early if you want to absolutely guarantee a spot. We hope to have space for everyone though.

For a free event we have a stellar line up of speakers, and you could be amongst them. At the present moment we have confirmed that Molly E. Holzschlag and Håkon Wium Lie of Opera will be presenting, along with top selling CSS author Andy Budd and Internet Explorer Product Manager Pete Le Page. We will also have lighting talks from interested participants.

The Web design world has been abuzz about CSS3 for along time now, with border-radius being the poster child, along with Web Fonts. We will show these and the many more features of CSS3 that are available now and the near future. With at least two members of the CSS Working Group in attendance, the event will be a perfect way to give feedback on the current and future direction of CSS. We are looking forward to meeting some of your there.

4 comments

HTML5 at London Web Standards

By Bruce Lawson. Tuesday, 10. November 2009, 15:58:23

I was privileged to be invited to come and present at London Web Standards, and honoured that the tickets sold out within 45 minutes of being available. So, no pressure then ...

Assisted by the lovely Henny who advanced my slides and alt-tabbed from slideshow to demo, I sneezed and snuffled my way through a presentation called HTML5 and Friends (PDF, 723K).

The resources that I demoed were

You can also download Opera 10 which I was using to demo.

Opera Developer Network has some beginner's canvas tutorials available:

  1. HTML 5 canvas - the basics
  2. Creating an HTML 5 canvas painting application
  3. Creating pseudo 3D games with HTML 5 canvas and raycasting
  4. Creating pseudo 3D games with HTML 5 canvas and raycasting: Part 2

For the second half of the talk, I built an HTML5 page through the magic of live coding (with lavish prizes!).

Consequently there are no slides to publish, but I have an article called Designing a blog with HTML that covers the same ground. (Two articles on my personal blog cover it in much more detail: Redesigning with HTML 5 and WAI-ARIA and Marking up a blog with HTML 5 (part 2).)

The shocking looseness of HTML5's validation rules is discussed in an article I wrote called HTML 5 + XML = XHTML 5. The main take-home should be that, although you can mix quoted or unquoted attributes, upper and lower case freely (even in the same page), you shouldn't: if you do, you'll make your code an unreadable and therefore unmaintainable mess. Choose one coding convention that works for you and stick to it.

Some other useful resources:

Thanks to all who attended and asked great questions. I'm sorry that I had to charge off before the bar shut (not like me at all!) but my son was sick so I needed to get the last train home.

3 comments

The lengths to go to, to get a site fixed!

By Shwetank Dixit. Thursday, 5. November 2009, 10:11:33

,

There is this site, which had some very archaic code, which blocked Opera. Incidentally, that site is very big in India, and consequently, was India's most reported site compatibility problem regarding Opera. We quickly figured out what was wrong in the JavaScript code, and now it was only a matter of letting them know what's wrong so that they fix it and unblock Opera.

They had contact information on their site. First I tried their online contact form. No response. A few days later, I tried another contact form, again no response. Hmmm....

Then I found out a few email addresses. I wrote to them, including their webmaster address. Still no response. Then I thought, I might as well give them a call. On the phone, the person asked me to write to a different email address, so I did that. Still days later no response :frown: Called again, and finally got the number of the project manager of the site, and discussed the solution with him. He seemed supportive, and gave his personal email address, and requested me to email him with the solution again. Did that. Still no cigar!

A few more calls were made, with promises that the site would get fixed. Nothing happened. My only last hope was to meet them face to face.

I was going to that city in the near future for some conferences, and I thought I'll stop by their office as well. Well, the site in question belongs to a large financial entity, and had a LOT of security at their headquarters. They scanned me, my wallet, my bag, my laptop, made a note of which laptop i was carrying, verified with the people I was going to meet that I indeed was scheduled to meet them, and gave me a slip which I had to sign from the people and hand it out to the security when I walked out the building as proof that I indeed met them. All in all, I think I had to go through around 5 layers of security, of various types. No, I'm not joking.

Anyway, I got to the meeting room on the first floor and realized I had the edited source code with me in Opera (I had edited it to see whether the solution works). To show them the problem, I needed to refresh the page so that the original source code was available, and change it once again in front of them to show how to fix it. However, wi-fi wasn't available, and no ethernet cord was there in the meeting room as well. So they did the next best thing.

They printed out the source code of the pages in question and gave it to me. So now I have their site source code on a bunch of paper, and a pen which they graciously offered me, and had to explain what was on wrong in their own source code and how to fix it by marking it with pen and paper. Great!

Finally I did that, and I was glad that they finally got the solution. They were quite pleased to know that Opera pays so much attention to site compatibility and that we have a dedicated team for it. A few days later I got the news that they had fixed the issue, and the site no longer has the code which blocks opera.

The lengths to go to, to get a site fixed!

31 comments

Opera Mobile 10 and its remote debugging party trick

By Daniel Davis. Tuesday, 3. November 2009, 08:50:48

, , ,

Following on our Opera Mini 5 beta launch, we've just announced the release of another mobile browser — this time it's Opera Mobile 10 beta for Symbian. While they both feature a similar redesigned UI, Opera Mobile 10 makes the most of your smartphone's capabilities, featuring a full JavaScript and layout engine.

Naturally there are many improvements for mobile surfers to enjoy, but what will be of particular interest to developers are the enhancements to Presto, our rendering engine. Not only is it much faster than the previous incarnation of Opera Mobile, but you may also be impressed at its standards support. You can read more about Opera Mobile 10 from a developer's perspective over at dev.opera.

In addition there is one more feature aimed at developers that we're particularly proud of and that is the ability to remotely debug a web page on your mobile phone using Opera Dragonfly on your desktop. Put more simply, as you edit the web page's code on your desktop, its display is dynamically updated on your mobile phone. The process is as follows:

  1. (Desktop): Make a note of your local IP address and fire up Dragonfly.
  2. (Desktop): Enable remote debug in Settings and click Apply then OK in the pop-up dialog box.
  3. (Mobile): Open opera:debug, enter your desktop's IP address and click Connect then OK in the pop-up dialog box.
  4. (Desktop): Click OK in the pop-up dialog box to download the new version of Dragonfly, then click OK.
  5. (Mobile): Click Connect again in opera:debug, then click OK in the pop-up dialog box.
  6. (Mobile): Open the web page you want to debug, ideally in a new tab.
  7. (Desktop): Select the site to debug in Dragonfly and edit the HTML and CSS to your heart's content.




We've made a short video to show remote debugging in action with captions for people that suffer from deafness/limited hearing (or if you just want to watch it without disturbing those around you). Furthermore, the captions are also available in English, Japanese and Russian.

12 comments

1 2 3 4 5 ... 18 Next »

Showing posts 1 - 5 of 90.