Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Cayden, Thanks for the update. I am also eagerly awaiting this feature. Thank you guys for your hard work. -tjw On Sunday, April 22, 2012 7:01:22 PM UTC-4, Cayden Meyer wrote: Hi Everyone, SSL for Custom Domains is still undergoing testing and improvement. I do not have a timeline to announce at this point, but rest assured that this is a priority for the App Engine team and it is a feature we are committed to launching. Thanks, Cayden Meyer Product Manager, Google App Engine On 20 April 2012 23:54, James Gilliam jimgill...@gmail.com wrote: How about some status? On Mar 28, 3:34 pm, Kaan Soral kaanso...@gmail.com wrote: What is the current status of SSL for Custom Domains, when can we expect it in production? On Monday, October 17, 2011 11:13:14 AM UTC+3, Cayden Meyer wrote: Hey everyone, I am pleased to announce that we are accepting signups for the SSL for custom domains Trusted Tester Program. This will allow you to serve secure traffic for your App Engine application from your own domain(https://your.domain.com) rather than your appspot.com domain (https://your-app-id.appspot.com). We will be offering two types of SSL service, Server Name Indication (SNI) and Virtual IP(VIP). SNI will be significantly less expensive than VIP when this service is fully launched, however unlike VIP it does not work everywhere SSL is supported, notably it is not supported by IE and Safari on Windows XP. Multiple certificates are supported by SNI, while the VIP service only supports a single certificate per virtual IP address. Wildcard certificates and certificates with alternate names are supported by both SNI and VIP. Either a Free or Paid Google Apps account is required to use SSL. The use of multiple domains is supported via the aliasing feature in Google Apps. If you are interesting in signing up to test this feature, please fill in the form linked below. https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF. .. Currently we are testing on a limited basis and will not be able to accept everybody who applies to the trusted tester program. As with all trusted tester programs, documentation is a work in progress. This feature is still in testing and as such we would advise against using this on production applications. If you have any queries, please email google-appengine-ssl- feedb...@google.com. Cheers, Cayden Meyer Product Manager, Google App Engine Blogger:http://googleappengine.blogspot.com Reddit:http://www.reddit.com/r/appengine Twitter:http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/_a7-eXtPF6IJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Thanks for the update Cayden. It's reassuring to know SSL on custom domains is still alive and high priority with the GAE team. I can certainly appreciate the desire and temptation to offer a nice, clean SNI solution. However, I think today's client compatibility reality doesn't allow for an SNI solution. The main culprits are pre-ICS Android and Blackberry clients more so than IE on Win-XP. At least on Win-XP Chrome and FireFox are viable alternatives to IE. Whereas Android incompatibility includes the Kindle Fire and the overwhelming majority of Android phones on the market today. It just doesn't make sense for a modern website to deliberately disregard the certificate warnings its users will experience with those clients. The warnings leave an unprofessional blemish on the site and likely leave the user confused and questioning the site's integrity and professionalism. My hope is that Google will stick with the SNI path for possible future deployment but realize that VIP is the only practical approach at this point in time. This means VIP would need to be offered at an affordable price point or perhaps even made available for free. I can only imagine the cost and challenges involved with developing a robust VIP solution in the cloud environment. However, every once in a while a feature is significant enough to overlook the NRE and do the right thing in lieu of trying to directly recoup costs. I would argue that SSL on custom domains is such a feature. A proper, affordable SSL solution promotes a secure web and benefits the GAE platform. I wish SNI had been a part of the original TLS spec but unfortunately that didn't happen and now we are forced to wait several more years for significantly more incompatible clients to flush out of the ecosystem. The alternative is to support SNI and pollute the web with certificate warnings when Android and Blackberry clients visit certain GAE sites. I don't think anybody wants this and I hope Google does the right thing. - Doug Anderson On Sunday, April 22, 2012 7:01:22 PM UTC-4, Cayden Meyer wrote: Hi Everyone, SSL for Custom Domains is still undergoing testing and improvement. I do not have a timeline to announce at this point, but rest assured that this is a priority for the App Engine team and it is a feature we are committed to launching. Thanks, Cayden Meyer Product Manager, Google App Engine On 20 April 2012 23:54, James Gilliam jimgill...@gmail.com wrote: How about some status? On Mar 28, 3:34 pm, Kaan Soral kaanso...@gmail.com wrote: What is the current status of SSL for Custom Domains, when can we expect it in production? On Monday, October 17, 2011 11:13:14 AM UTC+3, Cayden Meyer wrote: Hey everyone, I am pleased to announce that we are accepting signups for the SSL for custom domains Trusted Tester Program. This will allow you to serve secure traffic for your App Engine application from your own domain(https://your.domain.com) rather than your appspot.com domain (https://your-app-id.appspot.com). We will be offering two types of SSL service, Server Name Indication (SNI) and Virtual IP(VIP). SNI will be significantly less expensive than VIP when this service is fully launched, however unlike VIP it does not work everywhere SSL is supported, notably it is not supported by IE and Safari on Windows XP. Multiple certificates are supported by SNI, while the VIP service only supports a single certificate per virtual IP address. Wildcard certificates and certificates with alternate names are supported by both SNI and VIP. Either a Free or Paid Google Apps account is required to use SSL. The use of multiple domains is supported via the aliasing feature in Google Apps. If you are interesting in signing up to test this feature, please fill in the form linked below. https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF. .. Currently we are testing on a limited basis and will not be able to accept everybody who applies to the trusted tester program. As with all trusted tester programs, documentation is a work in progress. This feature is still in testing and as such we would advise against using this on production applications. If you have any queries, please email google-appengine-ssl- feedb...@google.com. Cheers, Cayden Meyer Product Manager, Google App Engine Blogger:http://googleappengine.blogspot.com Reddit:http://www.reddit.com/r/appengine Twitter:http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Thanks for the update Cayden... it's nice to know this issue is still alive and high priority! For me the biggest issue with SNI is pre-ICS Android and Blackberry more than IE (or Safari) with Windows-XP. I can appreciate the desire and temptation for an SNI solution but the reality is that there are still too many non-compliant clients out there for SNI to be an adequate solution for 99% of sites. I wish SNI had been part of the original TLS spec but unfortunately that isn't the case and we still have several years before enough non-compliant clients are flushed from the ecosystem to make SNI a viable solution. Practically every Android phone (non Ice Cream Sandwich) and many Android tablets including the Kindle Fire issue certificate warnings with SNI today. So if you care about Android / Kindle Fire / Blackberry / IE-XP clients then SNI isn't for you. The fact is if you use SNI today your site will have an unprofessional blemish with the numerous non-compliant clients and will result in a sub-standard user experience and possibly support calls. So my hope is that Google keeps the SNI effort alive for future use but makes VIP the recommended, affordable, and perhaps only solution for today's GAE apps. Since any non-trivial site should be using SSL today to protect session data etc., I hope Google does the right thing to support proper secure computing on its flagship platform. I can only imagine the cost and challenges involved with getting the VIP solution to work in the cloud environment but every once in a while a feature comes along that you just need to support because its the right thing to do and not to recoup associate costs and make a big profit. I would argue that (VIP) SSL is one of those features. It's something the GAE team can do simply because they're Google and a leading steward of the Internet. The alternate is to pollute the web with certificate warnings, the majority of which will likely be on its own Android platform. While we await this vital missing piece of an otherwise awesome GAE platform you can test your client browsers responses to SNI here: https://sni.velox.ch/ -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/7m0-QAOuQdUJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Thanks for the update Cayden. It's reassuring to know SSL on custom domains is still alive and high priority with the GAE team. I can certainly appreciate the desire and temptation to offer a nice, clean SNI solution. However, I think today's client compatibility reality doesn't allow for an SNI solution. The main culprits are pre-ICS Android and Blackberry clients more so than IE on Win-XP. At least on Win-XP Chrome and FireFox are viable alternatives to IE. Whereas Android incompatibility includes the Kindle Fire and the overwhelming majority of Android phones on the market today. It just doesn't make sense for a modern website to deliberately disregard the certificate warnings its users will experience with those clients. The warnings leave an unprofessional blemish on the site and likely leave the user confused and questioning the site's integrity and professionalism. My hope is that Google will stick with the SNI path for possible future deployment but realize that VIP is the only practical approach at this point in time. This means VIP would need to be offered at an affordable price point or perhaps even made available for free. I can only imagine the cost and challenges involved with developing a robust VIP solution in the cloud environment. However, every once in a while a feature is significant enough to overlook the NRE and do the right thing in lieu of trying to directly recoup costs. I would argue that SSL on custom domains is such a feature. A proper, affordable SSL solution promotes a secure web and benefits the GAE platform. I wish SNI had been a part of the original TLS spec but unfortunately that didn't happen and now we are forced to wait several more years for significantly more incompatible clients to flush out of the ecosystem. The alternative is to support SNI and pollute the web with certificate warnings when Android and Blackberry clients visit certain GAE sites. I don't think anybody wants this and I hope Google does the right thing. - Doug Anderson -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/8yEFneGBHzUJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Hi Everyone, SSL for Custom Domains is still undergoing testing and improvement. I do not have a timeline to announce at this point, but rest assured that this is a priority for the App Engine team and it is a feature we are committed to launching. Thanks, Cayden Meyer Product Manager, Google App Engine On 20 April 2012 23:54, James Gilliam jimgill...@gmail.com wrote: How about some status? On Mar 28, 3:34 pm, Kaan Soral kaanso...@gmail.com wrote: What is the current status of SSL for Custom Domains, when can we expect it in production? On Monday, October 17, 2011 11:13:14 AM UTC+3, Cayden Meyer wrote: Hey everyone, I am pleased to announce that we are accepting signups for the SSL for custom domains Trusted Tester Program. This will allow you to serve secure traffic for your App Engine application from your own domain(https://your.domain.com) rather than your appspot.com domain (https://your-app-id.appspot.com). We will be offering two types of SSL service, Server Name Indication (SNI) and Virtual IP(VIP). SNI will be significantly less expensive than VIP when this service is fully launched, however unlike VIP it does not work everywhere SSL is supported, notably it is not supported by IE and Safari on Windows XP. Multiple certificates are supported by SNI, while the VIP service only supports a single certificate per virtual IP address. Wildcard certificates and certificates with alternate names are supported by both SNI and VIP. Either a Free or Paid Google Apps account is required to use SSL. The use of multiple domains is supported via the aliasing feature in Google Apps. If you are interesting in signing up to test this feature, please fill in the form linked below. https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF. .. Currently we are testing on a limited basis and will not be able to accept everybody who applies to the trusted tester program. As with all trusted tester programs, documentation is a work in progress. This feature is still in testing and as such we would advise against using this on production applications. If you have any queries, please email google-appengine-ssl- feedb...@google.com. Cheers, Cayden Meyer Product Manager, Google App Engine Blogger:http://googleappengine.blogspot.com Reddit:http://www.reddit.com/r/appengine Twitter:http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
On Fri, Oct 21, 2011 at 7:33 AM, Brandon Wirtz drak...@digerat.com wrote: IE5/IE6 will say page cannot be displayed and will never connect. For this reason you should encourage users to arrive at a non-HTTPs version of the page, do browser detection and display an Upgrade your browser notification, then use the login to take them to the secure version of the site. Doing this will make your users vulnerable to man-in-the-middle attacks: an attacker could intercept the HTTP request and send back HTTP responses, with no redirect to HTTPS. How plausible this is depends on the nature of your app, naturally. -Nick Johnson ** ** ** ** ** ** *From:* google-appengine@googlegroups.com [mailto: google-appengine@googlegroups.com] *On Behalf Of *Nick *Sent:* Thursday, October 20, 2011 1:13 PM *To:* google-appengine@googlegroups.com *Subject:* [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program ** ** What happens when a non-supported browser attempts to access https://www.my-sercure-appengine-app.com? Does it redirect to http:// or show an error dialog? -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/DUTj6iVJ49gJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- Nick Johnson, Developer Programs Engineer, App Engine -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Thanks, Jeff. Considering how much noise came of the pricing change, this should put some fire in bellies :) -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/UNBHi0JEIcQJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
It was part of a survey question when you filled out the trusted tester application. Would you be wiling to pay $100 for VIP? Jeff On Fri, Oct 28, 2011 at 4:30 AM, Richard Watson richard.wat...@gmail.comwrote: @Jesse - did you make up the $100, or did you see that a guestimate somewhere? -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/UWYYy2efHMwJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Which of the options allows using naked domain? I'm guessing VIP, right? Waleed On Thu, Oct 20, 2011 at 9:00 AM, Anton Novopashin antonev...@gmail.comwrote: I have filled form allready -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/V333YDgn0rIJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
RE: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
Yes. All the Nakedness happens in the VIP space. Just like the Clubs in LA. From: google-appengine@googlegroups.com [mailto:google-appengine@googlegroups.com] On Behalf Of Waleed Abdulla Sent: Thursday, October 20, 2011 12:00 PM To: google-appengine@googlegroups.com Subject: Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program Which of the options allows using naked domain? I'm guessing VIP, right? Waleed On Thu, Oct 20, 2011 at 9:00 AM, Anton Novopashin antonev...@gmail.com wrote: I have filled form allready -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/V333YDgn0rIJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com mailto:google-appengine%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
:D -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/M-9uy3RrLRsJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
RE: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program
IE5/IE6 will say page cannot be displayed and will never connect. For this reason you should encourage users to arrive at a non-HTTPs version of the page, do browser detection and display an Upgrade your browser notification, then use the login to take them to the secure version of the site. From: google-appengine@googlegroups.com [mailto:google-appengine@googlegroups.com] On Behalf Of Nick Sent: Thursday, October 20, 2011 1:13 PM To: google-appengine@googlegroups.com Subject: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program What happens when a non-supported browser attempts to access https://www.my-sercure-appengine-app.com? Does it redirect to http:// or show an error dialog? -- You received this message because you are subscribed to the Google Groups Google App Engine group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/DUTj6iVJ49gJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.