HTTPS, and Data Security in general, are not priorities in China, which runs counter to everything Google has been saying for the past few years…
As much as we like to think about the internet as being some universal network that connects the whole of humanity, that’s not really what we have. Places like China and Russia offer their citizens a dramatically different version of the internet than what we typically experience in the West.
Let’s use Alex Jones as an example. In the West, Jones has inspired impassioned debate about censorship and de-platforming as we grapple with the principles of free speech and a (mostly) open internet. China or Russia would have disappeared Alex Jones years ago, wiped all trace of him from the internet and moved on as a society without much more than a murmur.
So what does any of that have to do with HTTPS and SSL/TLS? Well let’s talk a little bit about the way the internet in China, in particular, is regulated, and how SSL/TLS doesn’t exactly play nicely with that model. Then, just for fun, we’ll look at Google’s decision to re-enter the Chinese market and how it completely undermines their moral high ground when it comes to pushing for universal HTTPS in the West.
The Great Firewall of China
If Chinese censorship has anything going for it, it’s definitely the nickname. When the internet first came to China back in 1994 it was fairly unregulated. This was a result of China’s Open Door policy, which hoped to tap the West’s knowledge in an effort to reform China’s economy. But as the internet’s popularity grew, so did China’s concerns. As its former leader Deng Xiaoping once expressed, when you open the windows, the flies come in.
In 2000, the Golden Shield Project was implemented, this would serve as the precursor to the Great Firewall. Today, the Chinese government employs at least 50,000 people to enforce its censorship, including blocking websites that it disapproves of and forcing search engines to filter out harmful results.
And here’s one of the biggest differences between China and the US. In the US we have something called Section 230 (of the Communications Decency Act) that provides immunity to websites for the content published there by third parties. China does the opposite, companies are responsible for the content they show, even content generated by users—a practice that encourages self-censorship.
How does SSL/TLS fit into the Chinese censorship picture?
China has a fairly odd relationship with SSL/TLS. Many of the websites there do have SSL certificates installed, but the browsers in China don’t require users to actually use them. And there’s a reason for that. While best practice holds that you should encrypt your entire website – every page, every asset, everything – that effectively prevents the censors from being able to see anything at all. After all, the whole site is encrypted. This can lead to draconian penalties where China will outright ban an entire website when it’s really only trying to get rid of a couple of pages.
The BBC was in the news for this just yesterday, when it recommended the use of VPNs after being completely blocked in China following its migration to HTTPS.
A BBC spokesperson said:
We regret this loss of service. We continue to work with local service providers so that specific BBC content can be made directly available to our audience in China. The last time BBC services were blocked to this extent in China was in 2014 and we call on all parties to observe the UN Declaration of Human Rights, article 19.
The BBC is basically asking people to break the law, as VPNs are also banned in China. The same problems befell Wikipedia when it migrated in 2016. So, while HTTPS and SSL/TLS are perfectly legal in China, the all-or-nothing nature of censorship in the country makes their use potentially risky.
“As such, SSL is not widely used even when it should be. Both the QQ browser and the Baidu browser do not fully encrypt user sensitive communication data between users and their servers. Two reports from Citizen Lab at the University of Toronto have exposed major security flaws from China’s homegrown tech giants. While security and privacy (from foreign powers) are the primary reasons the Chinese government implements web censorship, the immature security environment are related to a few different reasons I’ll discuss,” writes John P. Gamboa.
Those reasons primarily come down to the risks associated with full SSL, outmoded operating systems as well as infrastructure issues. As of April 2014, the sunset for Windows XP, upwards of 40% of the country was still using the now-outmoded OS. Windows XP, quite infamously, did not play well with SSL. And while over the past four years more and more Chinese internet users have adopted current operating systems, XP still has a larger legacy in China than is healthy.
Additionally, The Great Firewall places an undo burden on China’s DNS architecture, which is compounded by poor (read: slow) network performance in general. That all amounts to SSL connections burdening site performance. Specifically, the handshake portion. In the West, the SSL/TLS handshake may add a small amount of time to page load speed, but a lot has been done to mitigate that.
Not in China.
An SSL handshake can add 300ms – 1000ms of time to a page load. This additional time can make or break a site’s usability in an outlying province. So, it makes sense that unstable web connections would prefer to not add SSL.
None of this is good for data security or privacy, but that’s kind of the point.
That does beg the question though: what is Google doing?
How does Google reconcile China’s position on data security with its own stated principles?
According to leaked documents originally reported on by The Intercept, Google is planning to re-enter the Chinese market with a censored version of its search engine and a news aggregator app.
The project – code-named Dragonfly – has been underway since spring of last year, and accelerated following a December 2017 meeting between Google’s CEO Sundar Pichai and a top Chinese government official, according to internal Google documents and people familiar with the plans… Teams of programmers and engineers at Google have created a custom Android app, different versions of which have been named “Maotai” and “Longfei.” The app has already been demonstrated to the Chinese government; the finalized version could be launched in the next six to nine months, pending approval from Chinese officials.
This would mark the first time that Google has operated in China since 2010, when it shut down operations after discovering a cyber attack from within the country that targeted it, as well as several other companies. Over the course of that investigation, Google also discovered that Gmail accounts belonging to a number of prominent Chinese human rights activists had been hacked.
So, what’s changed? Well, Quartz argues that Google has lost its healthy fear of authoritarianism without Sergey Brin. Either way, it’s not like China’s human rights record has improved. Nor has its efforts at censorship diminished. If anything, it’s gotten worse as President Xi Jinping clamps down even harder. China just banned Winnie the Pooh. Again.
What makes Google’s return to China even more curious is the fact that Google, over the course of the past several years, has gone out of its way to mandate HTTPS across the internet. This has included myriad changes to the UI in its browser, support for the advent of free Certificate Authorities and even putting Symantec out of the SSL business over concerns about mis-issuance. This has, in Google’s own words, been done to make security the default state on the internet.
In fact just today, in a keynote speech at the Black Hat Cybersecurity conference in Las Vegas, Director of Engineering, Parisa Tabriz, nicknamed “Google’s Security Princess” said:
“It’s not OK if just Facebook and Google are just on HTTPS. Even if it’s just an individual blog, you still want to have confidence that people reading your blog are actually getting the real content and it’s not being tampered with by your ISP.”
You know, except in China.
But hey, let’s be realistic. Google is a for-profit company. The key term being “for-profit.” The other stuff, the platitudes about security and privacy are supposed to make you feel good and trust Google. But at the end of the day, they’re BS. Especially when money is part of the equation.
So, yes. Google wants security to be an afterthought, second nature. Not something you would have to think about to achieve. Unless of course some other way is more profitable.
And right now, China, with more internet users than the US has citizens, looks pretty profitable.