ODIN Blog

I was invited to speak to a group of developers at the China Bank of Communications. It was an opportunity to get to know how the IT side of the banking sector works, and to ask them "Why ActiveX?"

First, some background - most if not all Chinese banks use ActiveX for their customer banking, so without ActiveX you can't do online banking in China. Similar issues are happening in South Korea and perhaps other places too. The ActiveX plugin is used to prevent the stealing of passwords by keylogger trojans.

After presenting, the discussion dived right into questions and answers; it was very stimulating and I learned a lot about the perspective of developers working with banks. During the discussion, the thousand dollar question was "If not ActiveX, then what?" I suggested three possible solutions:

• First, if your bank insists on using plugins, then use the NPAPI plugin interface. NPAPI is arguably more secure than ActiveX because it is solely an Internet plugin, while ActiveX can also tinker with your operating system (for example components in Office applications). Opera, Safari and Firefox all support the NPAPI plugin.
• If ActiveX is used only to prevent keyloggers, then another solution might be to only allow users to type their login credentials using a virtual keyboard. This could however be a bane for accessibility.
• The third option is to drop plugins altogether and use a one-time password generator. This crossed my mind with banks in Norway which I am provided with a calculator (I use Nordea Bank). A one-time password calculator will not have the spillover security concerns of ActiveX.

Options above are used to prevent password-snatching while a user is typing in the login credentials - before he or she clicks on the login button which sends the login credentials through a HTTPS secure channel.

On the HTTPS side of things, using Extended Validation (EV) certificates will give bank users better assurance since EV certificates goes through a much more rigorous process before it is given out. Browsers with EV support display more information for EV certificates than for previous SSL certificates. IE8, Firefox, Safari, Google Chrome and Opera support Extended Validation.

During the discussion, I realized that many developers are sympathetic towards standards, including those implementing non-standard ActiveX. I used the word sympathetic because many developers I know are idealist and being idealists they want the world to be a better place. The world is a better place without non-standard code, but the reality is that developers earn their living through customers, and therefore maintaining the existing systems that they already use.

There is more than one way to solve the ActiveX dilemma in the banking industry. It's a legacy issue, for sure, but maybe the real problem is resistance to change?

Note: The PDF version of the presentation can be downloaded here, entitled Web 2.0 and Web Standards.

Together with my colleague Henny Swan I've been working in the China Beijing office for the last few weeks which has been really interesting both in terms of getting to know the country and also the state of web standards in China. I thought it would be useful to share some of the thoughts and conversations I had with people around the importance of creating standards compliant web page.

Most major browsers have put in lots of effort in web standards. Opera for example, has always been very supportive of standards work. Our CTO, Håkon Wium Lie, is the co-founder of CSS, and we are the first browser to fully support SVG ship with this level of SVG support. This is our dedication to standards. Other major browsers are also paying more attention, we expect Microsoft to have stronger standards support with the upcoming IE8.

Asia is at a disadvantage when it comes to web standards. This is partly because most materials are in English which not everyone is able to understand. Our Beijing colleague also cited the notion of practicality, "since IE has a huge dominance in China, it is reasonable just to code to IE when resources are low".

However, this is beginning to change with the emergence of mobile web and alternative mobile browsers such as Google Chrome, Firefox, Safari and Opera.

Henny was quick to point out that web standards is a key part in internationalizing local sites. Developers from different countries might have different habits and preference. This is where web standards come into play as they pull together everyone and create a common platform. Also, with mobile Internet booming in China, developers will want their sites to function well on different handsets with varying display.

A third benefit of web standards is for your less able bodied users who need pages to be accessible. Building with web standards means you have a robust framework to support international, mobile and disabled users. Three birds one stone!

Opera is committed in spreading web standards awareness into different communities. Through OpenTheWeb movement, Opera communicates with major Chinese web sites, such as TaoBao, to make sure that their sites are web standards compliant. The effort not only benefits browsers, but the whole web community.

To find out more about web standards check out the Opera Web Standards Curriculum.