Why is 'avast! Web/Mail Shield Root' listed as CA for google.com?
The whole goal of HTTPS is to prevent eavesdropping so that anyone monitoring your web traffic can't see what you're sending. As useful as it is, HTTPS presents a bit of a problem to antivirus software because when you visit sites over an encrypted connection, your antivirus software cannot see what sites you're visiting or what files you're downloading, at least until the download finishes. This presents a risk because if you download a virus, the antivirus software won't know about it until the download is finished and the virus is already saved to your hard drive, allowing criminals to bypass the "live defense" features of AV by simply hosting the malware on an HTTPS site.
The solution that many antivirus programs use is to install its own SSL certificate as a root certificate so that it can essentially man-in-the-middle all HTTPS traffic to scan for malware. I'm guessing this is what avast! is doing.
Whether this behavior presents additional security issues is debatable but I don't think it's something you need to be deeply concerned about - after all, your own antivirus software is doing the man-in-the-middling, not a malicious party. If it worries, you, you can disable this behavior - go to Settings>Active Protection>Web Shield>click on "customize" and tick the box next to "Disable HTTPS scanning." If you do this, avast! won't be able to proactively block malware on HTTPS sites.
This is happening because as others described, the Mail/Web shield needs to be able to scan your web traffic before it is saved on your system / does any harm.
Scanning encrypted SSL/TLS sockets requires that Avast can decrypt the connection. There is no other way for Avast to decrypt the connection than to generate its own certificate with a known derived decryption key, then signing them with a custom Root Certificate from Avast installed on your system.
This completely compromises internet privacy. (1) Man-In-The-Middle attacks by any person exchanging the website's keys to their own so that they may tap in on your connection will go unnoticed by your browser. (2) Unsecure website certificates (maliciously exchanged, cracked or shared with third-parties) will be accepted by your browser and the whole concept of secure, encrypted and authenticated connections is ignored.
There is a checkbox in “preferences” in Avast that says “scan secured connections”. I recommend you to turn this off if you value internet privacy.