Google (GOOG 0.74%) (GOOGL 0.55%) recently announced that it would no longer register new HTTPS certificates from the China Internet Network Information Center (CNNIC).
HTTPS certificates ensure that a domain actually belongs to the company it's registered to. Since CNNIC handles HTTPS certificates for all web users in China, Google's decision means any users visiting Chinese websites with Chrome will see a security warning. Chrome is the top web browser in China, with a 53% market share in 2014, according to StatCounter.
Source: Author.
Users can ignore those warnings and proceed to the site, but Google will basically label all "secure" Chinese sites as "questionable." Google stated that previously issued HTTPS certificates from CNNIC will be marked as trusted in Chrome for a "limited time" through a publicly disclosed whitelist.
Why did Google do this?
CNNIC contracts the HTTPS certification process out to companies known as a certificate authorities (CAs).
Google has accused one of CNNIC's CAs, MCS Holdings, of issuing an unauthorized security certificate that was subsequently used by an Egyptian web company to perform a "man-in-the-middle" attack. This type of attack attempts to intercept communications between a compromised website and a server.
MCS Holdings attributed to the security lapse to a "human mistake," according to CNBC. Google acknowledged that the lapse seemed unintentional, but it still showed that CNIIC "delegated substantial authority to an organization that was not fit to hold it."
In a blog post, Google stated that CNNIC was welcome to "reapply once suitable technical and procedural controls" were implemented. CNNIC responded by calling Google's decision "unacceptable and unintelligible."
Are double standards at play?
Fraudulent HTTPS certificates being used for man-in-the-middle attacks isn't unique to China. Last month, a fraudulent HTTPS certificate was issued for one of its Windows Live Web addresses, sending Microsoft (MSFT 0.37%) scrambling to block man-in-the-middle attacks.
The CA which issued it, Comodo, is the largest issuer of SSL certificates, with a 34% market share on 5.4% of all web domains. Comodo quickly revoked the certification, but Microsoft didn't cut ties with Comodo or declare all of its certificates invalid, as Google did with all of CNNIC's CAs.
But in Google's defense, this isn't the first time a Chinese company's security lapse exposed worldwide users to similar attacks. Earlier this year, Lenovo's (LNVGY 3.74%) Superfish adware, a program preinstalled on many of its laptops, exposed users to similar man-in-the-middle attacks.
Does China still matter to Google?
Regardless of whether or not Google overreacted to the security lapse, the conflict with CNNIC highlights its deteriorating relationship with China.
Back in 2010, Google relocated its search engine from mainland China to Hong Kong, after a two-month standoff over online freedom issues and alleged intrusions from hackers. That resulted in mainland users losing access to Google's search engine. Between 2010 and 2014, Google's share of the Chinese search market, by pageviews, plunged from around 12% to less than 1%, according to market tracker CNZZ. Since then, Google's growth in other markets easily offset its exit from China.
Source: YCharts.
Although most Google services are banned in China, it still sells display ads there, which claimed 12% of all Chinese search engine revenue in 2014, according to China Internet Watch. Google doesn't disclose how much that business is worth, but iResearch estimated that the company generated $260 million in ad revenues from mainland China during the third quarter of 2014.
Not as bad as it seems
Google's conflict with the CNNIC might hurt the company's chances of ever bringing its search engine back to China, but the near-term impact should be minimal.
The Chinese government already discourages the use of HTTPS certificates for Chinese sites, since they can't be accessed in transit by the Great Firewall. As a result, CNNIC-issued HTTPS certificates only account for less than 0.1% of all certificates on the Internet. Moreover, the CNNIC will likely be recertified after it addresses security issues with its CAs.
The bottom line
The dispute between Google and CNNIC highlights interesting trends tech investors should be aware of.
Chrome's popularity still gives Google a lot of clout in China, while display ads still generate decent ad revenue. Those strengths, combined with its robust worldwide growth, mean Google doesn't have to eagerly kowtow to the Chinese government's demands.
Meanwhile, dangerous hacks are worming their way into preinstalled software on laptops and fraudulently registered websites. Therefore, Google's response to CNNIC -- while arguably heavy-handed -- was necessary to tighten security standards.
