Today

• Most Chinese banks use ActiveX controls and are thus inoperable in Firefox.
• Mozilla China has been working with CCB (ccb.com.cn) to enable its website to work with Firefox 3.6 and 4.0, using add-ons.
• Many banks are using USB identity tokens and/or smartcards.
• A very large majority of users are using Windows XP, which does not have built-in drivers for identity tokens, unlike Windows 7. (TODO: How many banks' identity tokens are plug-n-play in Windows 7.) These drivers use the Windows CryptoAPI CSP interface to expose the certificates on the identity token to applications that use CryptoAPI. However, Mozilla products currently do not use CryptoAPI; we have our own solution based on PKCS#11.
• Some banks are using security tokens from multiple manufacturers, which may require different drivers and/or CSP/PKCS#11 DLLs.

CCB Bank

Description of Mozilla China's CCB solution

• Multiple plugins are installed:
  • One or more are used to provide a "more secure" UI for data and/or password entry. From Li: "They use a separate ActiveX control for any operation that they think should be protected – login, inputing a $$ amount for transaction, etc. So they would use a good number of these controls in a typical online banking session.
  • One or more are used to communicate with the smart card.
• An extension specific to ccb.com.cn is used to improve the PSM client certificate selection UI, to show more information about each certificate (e.g. validity period) in the list, and to expand the identity token's list of certificates in the tree.
• CCB's helper package installs a CCB-bank-specific root certificate; the exact technical reason for this isn't clear yet. This has possible negative security implications for non-CCB websites.
• One or more PKCS#11 modules are installed, to enable access to the hardware identity token from within Gecko.

Possible immediate improvements

Note: This is just a list of *possible* improvements, because we do not know enough about the current solution yet. Some or all of these improvements might be unrealistic.

• Stop installing the CCB-bank-specific root and disable it on users' computers.
• Remove the need for CCB's extension that improves the PSM client certificate selection UI, by making those UI improvements inside the base UI.
• Drivers for identity tokens used by Chinese banks can be bundled with the browser and/or downloaded automatically on demand.
• Try to reduce or eliminate the use of plugins for UI, as much as possible. Providing an open-source HTML/CSS/JS reference implementation of these UI improvements (with a liberal license) might accelerate this.
• For UI plugins that cannot be replaced, develop open-source versions that we can ship in an extension bundled with Firefox China Edition.

Open Questions / Action Items

1. Improve communication between Mozilla China and Platform/PSM. bsmith is willing (eager, even) to go to Beijing if that would be helpful.
2. Coordinate a video/screen-sharing meeting between Mozilla China and Platform/PSM (bsmith and kaie), so that Platform/PSM can better understand the problem.
3. What is the exacty purpose of CCB's root certificate? After installing the helper package, if we remove the root certificate from the certificate database using the Certificate Manager UI, then what specific parts of the website break?
4. What protocols and/or APIs are being used for the security of the bank? Are they using standard SSL client authentication? Are they using a solution with an API similar to the one used in Korea?
5. Wei mentioned that CCB uses three vendors for identity tokens. Who are these three vendors?
   1. [Vendor name]: [contact information] [links to vendor's website(s)]
   2. [Vendor name]: [contact information] [links to vendor's website(s)]
   3. [Vendor name]: [contact information] [links to vendor's website(s)]
6. Get somebody in Mountain View (e.g. bsmith) access to a CCB bank account and hardware identity token, so that Platform/PSM can better support Mozilla China's efforts.
7. There are several plugins in the CCB helper package. What are these plugins and what do they do?:
   1. [filename] [Description of plugin's purpose]
   2. [filename] [Description of plugin's purpose]
   3. [filename] [Description of plugin's purpose]
   4. [filename] [Description of plugin's purpose]
   5. [filename] [Description of plugin's purpose]
   6. [filename] [Description of plugin's purpose]

Generalized Solution for Other Banks

Open Questions

• How similar are other Chinese banks' websites to CCB's?
• What other banks are willing/eager to work with us to get Firefox working with their site?
• If the other banks' websites work similarly, and if we can minimize the number of closed-source plugins that are needed for the CCB solution, then we can probably greatly accelerate the enabling of Firefox compatibility on other banks' websites.