SSL Usage in China

Securing your site isn’t just for credit card information and checkout carts on the web; Secure Socket Layer (SSL) certificates are used to secure your site’s data and users. As people and technologists have become more security focused, companies like Google are giving websites a reason to consider its use. Last year the search giant changed its algorithm to give extra search result rankings to sites that use full SSL encryption. Because Google is the kingmaker in the search engine optimization (SEO) world, SSL-as-ranking-indicator has been a great way increase security of the the web as a whole.

While SSLs are great for most people, China plays by a different set of rules. There are many considerations required when trying to reach a Chinese audience with SSL (as you know from reading my blog series about this). According W3 Techs, SSLs in China represent a fraction of major certificate authority market shares, despite representing a large portion of the web as a whole.

China’s Low SSL Adoption

Like all Chinese web oddities, the relatively low SSL adoption is a byproduct of the country’s censorship of the internet. Many Chinese government and top Alexa sites show incorrect or outdated certificate information if you try to utilize SSL. As encrypted connections are essentially free from government snoops, SSL makes non-approved communication too difficult to monitor and censor.

As such, SSL is not widely used even when it should be. Both the QQ browser and the Baidu browser do not fully encrypt user sensitive communication data between users and their servers. Two reports from Citizen Lab at the University of Toronto have exposed major security flaws from China’s homegrown tech giants. While security and privacy (from foreign powers) are the primary reasons the Chinese government implements web censorship, the immature security environment are related to a few different reasons I’ll discuss.

Full SSL Encryption

Chinese Wikipedia homepage with full SSL encryption and certificate information.
Chinese Wikipedia homepage with full SSL encryption and certificate information.

If you publish politically sensitive content, full site SSL is best for overall security. However, your site is more likely to be completely blocked in China. For example, China completely blocked Wikipedia after a recent switch to full site encryption.

Because of the technology of SSL, China is unable to block individual web pages on full-SSL sites (which the government previously did with non-SSL Wikipedia). Blocking a single unsecured page (like the 1989 Tiananmen Square Protests) is easier as it’s a sort of man-in-the-middle attack on a site. When SSL is not used, government censorship tools essentially inject themselves into the end-user’s browser session with the site and break the connection.

Because SSL prevents these types of intrusions and exploits, the government has no choice but to block the entire domain. This recent change for Wikipedia, while more secure for users, results in millions of articles to be blocked because of a few politically-sensitive ones.

Outdated Operating Systems

Yellow: Windows 7. Blue: Windows XP. The intersection point is at the sunset date of Windows XP.
Yellow: Windows 7. Blue: Windows XP. The intersection point is at the sunset date of Windows XP in April 2014.

The high usage of rate of Windows XP in China may also play a role in the somewhat low adoption rate of SSL. The now-defunct version of Windows lack of support for server name indication (SNI) in Internet Explorer was likely connected to the low adoption numbers of SSL globally.

At the April 2014 sunset date of Windows XP, more than 40% of Chinese web users still used the operating system. This meant Windows XP with SSL was more difficult, as it required dedicated IPs and other additional tools and protocols. This could explain why SSL usage was low for some time in China. It’s legacy likely still affects tech protocols in the country to this day.

Slow SSL Handshakes

With the aforementioned concerns of using full SSL in China, site speed becomes a basic consideration as well. In the West, SSL handshakes add a small amount of time to a page load as the server has to wait for the browser to start a SSL certificate handshake. As web connections in China tend to be somewhat slow, limiting unnecessary assets or connections on a page load becomes a requirement for many trying to reach the Middle Kingdom.

The Great Firewall of China’s heavy burden on China’s DNS architecture, compounded by general slow performance, results in SSL connections being a burden on site performance. An SSL handshake can add 300ms – 1000ms of time to a page load. This additional time can make or break a site’s usability in an outlying province. So, it makes sense that unstable web connections would prefer to not add SSL.

What to Consider

https-everywhere2

Even if you don’t plan on utilizing constant SSL connections on your site for China, it might be a good idea to still have an SSL certificate installed. Tools like HTTPS Everywhere from the Electronic Freedom Foundation force browsers to display a site as fully encrypted, even when designated as HTTP-only. This allows users to have peace of mind with SSL on a site if they are adamant on using it. Many Chinese sites, like Baidu, have SSL certificates, but don’t force users to utilize them.

In the end, SSL is the best way to secure user-to-server and server-to-server connections on a site. It protects your data and your users’ data. However, full encryption on a site does pose a risk in getting blocked by the Great Firewall. I have a chosen to fully encrypt my site, despite the likelihood of it getting blocked, because it’s important to protect my users and their browser sessions. Protecting users is more important to me than the site getting blocked.

So, if you’re a business owner trying to reach the Chinese market, a full site SSL encryption will most definitely pose a risk. However, having a certificate available will allow you to enable security measures when needed.

What are your thoughts on SSL? Do you use them on your sites? Let me know in the comments.

One Comment

Leave a Reply