Announcing SSL for Custom Domains Trusted Tester Program

[Cayden Meyer]

Hey everyone,

I am pleased to announce that we are accepting signups for the SSL for
custom domains Trusted Tester Program. This will allow you to serve
secure traffic for your App Engine application from your own
domain(https://your.domain.com) rather than your appspot.com domain
(https://your-app-id.appspot.com).

We will be offering two types of SSL service, Server Name Indication
(SNI) and Virtual IP(VIP). SNI will be significantly less expensive
than VIP when this service is fully launched, however unlike VIP it
does not work everywhere SSL is supported, notably it is not supported
by IE and Safari on Windows XP. Multiple certificates are supported by
SNI, while the VIP service only supports a single certificate per
virtual IP address. Wildcard certificates and certificates with
alternate names are supported by both SNI and VIP.

Either a Free or Paid Google Apps account is required to use SSL. The
use of multiple domains is supported via the aliasing feature in
Google Apps.

If you are interesting in signing up to test this feature, please fill
in the form linked below.

https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHFoZFhlUTM1MUNpelFWcVJqcVAwckE6MQ

Currently we are testing on a limited basis and will not be able to
accept everybody who applies to the trusted tester program.

As with all trusted tester programs, documentation is a work in
progress.

This feature is still in testing and as such we would advise against
using this on production applications.

If you have any queries, please email google-appengine-ssl-
feed...@google.com.

Cheers,

Cayden Meyer
Product Manager, Google App Engine
Blogger: http://googleappengine.blogspot.com
Reddit: http://www.reddit.com/r/appengine
Twitter: http://twitter.com/app_engine

[Brandon Wirtz]

Cayden and GAE Team,

This is awesome. I don't need it, but I know a lot of people in the
community have asked for it, and I know they will be appreciative. I am
certain this took a lot of working internally to resolve limitations of
other products, and likely some politics to get those solutions in place.
This feature in my view, shows more than most Google's commitment to making
this an enterprise class solution with as few "deal breakers" as possible
for deployments.

-Brandon

Brandon Wirtz
BlackWaterOps: President / Lead Mercenary

Work: 510-992-6548
Toll Free: 866-400-4536
IM: dra...@gmail.com (Google Talk)
Skype: drakegreene
BlackWater Ops

Hey everyone,

https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHFoZFhlUT
M1MUNpelFWcVJqcVAwckE6MQ

Cheers,

--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to
google-appengi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.

[Thomas Wiradikusuma]

Wow this is big news! I currently don't need it, but will eventually
use it. Congrats guys!

[Jeff Schnitzer]

+1 to this!

I *do* need it... because "everything through SSL all the time" is
rapidly approaching mandatory. Firesheep changed everything - now
users *realize* how insecure the web really is.

Jeff

[Pol]

That's great news, but I'm wondering: if we put GAE over SSL on
https://example.com, will doing AJAX from https://www.example.com to
https://example.com still be considered cross-domain or not?

On Oct 18, 9:22 am, Jeff Schnitzer <j...@infohazard.org> wrote:
> +1 to this!
>
> I *do* need it... because "everything through SSL all the time" is
> rapidly approaching mandatory.  Firesheep changed everything - now
> users *realize* how insecure the web really is.
>
> Jeff
>
>
>
>
>
>
>
> On Mon, Oct 17, 2011 at 2:45 PM, Brandon Wirtz <drak...@digerat.com> wrote:
> > Cayden and GAE Team,
>
> > This is awesome.  I don't need it, but I know a lot of people in the
> > community have asked for it, and I know they will be appreciative.  I am
> > certain this took a lot of working internally to resolve limitations of
> > other products, and likely some politics to get those solutions in place.
> > This feature in my view, shows more than most Google's commitment to making
> > this an enterprise class solution with as few "deal breakers" as possible
> > for deployments.
>
> > -Brandon
>
> > Brandon Wirtz
> > BlackWaterOps: President / Lead Mercenary
>
> > Work: 510-992-6548
> > Toll Free: 866-400-4536

> > IM: drak...@gmail.com (Google Talk)

> >https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF...

> > M1MUNpelFWcVJqcVAwckE6MQ
>
> > Currently we are testing on a limited basis and will not be able to accept
> > everybody who applies to the trusted tester program.
>
> > As with all trusted tester programs, documentation is a work in progress.
>
> > This feature is still in testing and as such we would advise against using
> > this on production applications.
>
> > If you have any queries, please email google-appengine-ssl-

> > feedb...@google.com.

[Pol]

That's great news, but I'm wondering: if we put GAE over SSL on
https://example.com, will doing AJAX from https://www.example.com to
https://example.com still be considered cross-domain or not?

On Oct 18, 9:22 am, Jeff Schnitzer <j...@infohazard.org> wrote:

> +1 to this!
>
> I *do* need it... because "everything through SSL all the time" is
> rapidly approaching mandatory.  Firesheep changed everything - now
> users *realize* how insecure the web really is.
>
> Jeff
>
>
>
>
>
>
>
> On Mon, Oct 17, 2011 at 2:45 PM, Brandon Wirtz <drak...@digerat.com> wrote:
> > Cayden and GAE Team,
>
> > This is awesome.  I don't need it, but I know a lot of people in the
> > community have asked for it, and I know they will be appreciative.  I am
> > certain this took a lot of working internally to resolve limitations of
> > other products, and likely some politics to get those solutions in place.
> > This feature in my view, shows more than most Google's commitment to making
> > this an enterprise class solution with as few "deal breakers" as possible
> > for deployments.
>
> > -Brandon
>
> > Brandon Wirtz
> > BlackWaterOps: President / Lead Mercenary
>
> > Work: 510-992-6548
> > Toll Free: 866-400-4536

> > IM: drak...@gmail.com (Google Talk)

> >https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF...

> > M1MUNpelFWcVJqcVAwckE6MQ
>
> > Currently we are testing on a limited basis and will not be able to accept
> > everybody who applies to the trusted tester program.
>
> > As with all trusted tester programs, documentation is a work in progress.
>
> > This feature is still in testing and as such we would advise against using
> > this on production applications.
>
> > If you have any queries, please email google-appengine-ssl-

> > feedb...@google.com.

[Pol]

That's great news, but I'm wondering: if we put GAE over SSL on
https://example.com, will doing AJAX from https://www.example.com to
https://example.com still be considered cross-domain or not?

On Oct 18, 9:22 am, Jeff Schnitzer <j...@infohazard.org> wrote:

> +1 to this!
>
> I *do* need it... because "everything through SSL all the time" is
> rapidly approaching mandatory.  Firesheep changed everything - now
> users *realize* how insecure the web really is.
>
> Jeff
>
>
>
>
>
>
>
> On Mon, Oct 17, 2011 at 2:45 PM, Brandon Wirtz <drak...@digerat.com> wrote:
> > Cayden and GAE Team,
>
> > This is awesome.  I don't need it, but I know a lot of people in the
> > community have asked for it, and I know they will be appreciative.  I am
> > certain this took a lot of working internally to resolve limitations of
> > other products, and likely some politics to get those solutions in place.
> > This feature in my view, shows more than most Google's commitment to making
> > this an enterprise class solution with as few "deal breakers" as possible
> > for deployments.
>
> > -Brandon
>
> > Brandon Wirtz
> > BlackWaterOps: President / Lead Mercenary
>
> > Work: 510-992-6548
> > Toll Free: 866-400-4536

> > IM: drak...@gmail.com (Google Talk)

> >https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF...

> > M1MUNpelFWcVJqcVAwckE6MQ
>
> > Currently we are testing on a limited basis and will not be able to accept
> > everybody who applies to the trusted tester program.
>
> > As with all trusted tester programs, documentation is a work in progress.
>
> > This feature is still in testing and as such we would advise against using
> > this on production applications.
>
> > If you have any queries, please email google-appengine-ssl-

> > feedb...@google.com.

[Anton Novopashin]

I have filled form allready

[Waleed Abdulla]

Which of the options allows using naked domain? I'm guessing VIP, right? 

Waleed

On Thu, Oct 20, 2011 at 9:00 AM, Anton Novopashin <anton...@gmail.com> wrote:

I have filled form allready

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/V333YDgn0rIJ.

[Brandon Wirtz]

Yes. All the Nakedness happens in the VIP space.  Just like the Clubs in LA.

[Nick]

:D

[Nick]

What happens when a non-supported browser attempts to access https://www.my-sercure-appengine-app.com? Does it redirect to http:// or show an error dialog?

[Brandon Wirtz]

IE5/IE6 will say page cannot be displayed and will never connect.  For this reason you should encourage users to arrive at a non-HTTPs version of the page, do browser detection and display an Upgrade your browser notification, then use the login to take them to the secure version of the site.

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/DUTj6iVJ49gJ.

[Shedokan]

On Oct 20, 10:33 pm, "Brandon Wirtz" <drak...@digerat.com> wrote:
> IE5/IE6 will say page cannot be displayed and will never connect.  For this
> reason you should encourage users to arrive at a non-HTTPs version of the
> page, do browser detection and display an Upgrade your browser notification,
> then use the login to take them to the secure version of the site.
>

According to Wikipedia ALL Internet Explorer and safari browsers on
Windows XP do not have SNI support.
And strangly enough Google Chrome's versions below 6 do not have it
either(a tiny percentage).

So we are supposed to detect them all using the useragent string? That
would be fun to try...



But we all knew that before we started asking for SNI, so great job
Google and the App Engine developers!

[Shedokan]

Also it is very worth noting that SNI is not supported in Python
versions below 3.2

[Jesse]

Hi Cayden,

Thanks for the hard work on this.  I'd like to suggest 2 features (they may already be in the works):

 * UCC on VIP

 * Wildcard on VIP

If VIP potentially costs $100/mon (not final I know) it would be really nice if I could issue a UCC cert for my VIP address and setup routing to n number of apps (this is particularly important for testing staging environments, I do not want to pay for a different SNI or VIP for *each* testing/staging app that I have deployed, if possible).  In our testing UCC is very well supported. 

Wildcard would be similar but obviously the sub-domain hosts would not be known beforehand by the cert.  The routing would need some sort of interface to configure it.  We have a lot of services under master domains and so this would be helpful. 

Best,

jesse

[Richard Watson]

@Jesse - did you make up the $100, or did you see that a guestimate somewhere?

[Jeff Schnitzer]

It was part of a survey question when you filled out the trusted tester application.  Would you be wiling to pay $100 for VIP?

Jeff

On Fri, Oct 28, 2011 at 4:30 AM, Richard Watson <richard...@gmail.com> wrote:

@Jesse - did you make up the $100, or did you see that a guestimate somewhere?

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/UWYYy2efHMwJ.

[Richard Watson]

Thanks, Jeff. Considering how much noise came of the pricing change, this should put some fire in bellies :)

[Nick Johnson]

On Fri, Oct 21, 2011 at 7:33 AM, Brandon Wirtz <dra...@digerat.com> wrote:

IE5/IE6 will say page cannot be displayed and will never connect.  For this reason you should encourage users to arrive at a non-HTTPs version of the page, do browser detection and display an Upgrade your browser notification, then use the login to take them to the secure version of the site.

Doing this will make your users vulnerable to man-in-the-middle attacks: an attacker could intercept the HTTP request and send back HTTP responses, with no redirect to HTTPS.

How plausible this is depends on the nature of your app, naturally.

-Nick Johnson

 

 

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Nick
Sent: Thursday, October 20, 2011 1:13 PM
To: google-a...@googlegroups.com
Subject: [google-appengine] Re: Announcing SSL for Custom Domains Trusted Tester Program

 

What happens when a non-supported browser attempts to access https://www.my-sercure-appengine-app.com? Does it redirect to http:// or show an error dialog?

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/DUTj6iVJ49gJ.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

--
Nick Johnson, Developer Programs Engineer, App Engine

[Cayden Meyer]

Hey everyone, 
The first group of testers have already received invitations to start
testing. If you haven't yet received an invitation, do not despair, we
will be expanding the invitation pool in the later stages of the
testing program.
To answer a few questions from this thread. 
Q: “What happens when a non-supported browser attempts to
access https://www.my-secure-appengine-app.com? “ (SNI only)A:  Users
with an unsupported browser will receive a certificate with an invalid
hostname. This will cause an warning in most browsers, the user can
either click through the certificate warning or try using a browser
that supports SNI
Q: “Will wildcard and multidomain certificates be supported by
VIP?” A: Wildcard and multidomain certificates are supported by both
VIP and SNI
Q: Various questions about pricingA: The pricing given in the signup
form is indicative only and is subject to change. This pricing should
give you a rough idea of what to expect when SSL is launched. Trusted
testers will not be charged during the testing period. 
Thanks for your interest and comments,

[Kaan Soral]

What is the current status of SSL for Custom Domains, when can we expect it in production?

[James Gilliam]

How about some status?

On Mar 28, 3:34 pm, Kaan Soral <kaanso...@gmail.com> wrote:
> What is the current status of SSL for Custom Domains, when can we expect it
> in production?
>
>
>
>
>
>
>
> On Monday, October 17, 2011 11:13:14 AM UTC+3, Cayden Meyer wrote:
>
> > Hey everyone,
>
> > I am pleased to announce that we are accepting signups for the SSL for
> > custom domains Trusted Tester Program. This will allow you to serve
> > secure traffic for your App Engine application from your own
> > domain(https://your.domain.com) rather than your appspot.com domain
> > (https://your-app-id.appspot.com).
>
> > We will be offering two types of SSL service, Server Name Indication
> > (SNI) and Virtual IP(VIP). SNI will be significantly less expensive
> > than VIP when this service is fully launched, however unlike VIP it
> > does not work everywhere SSL is supported, notably it is not supported
> > by IE and Safari on Windows XP. Multiple certificates are supported by
> > SNI, while the VIP service only supports a single certificate per
> > virtual IP address. Wildcard certificates and certificates with
> > alternate names are supported by both SNI and VIP.
>
> > Either a Free or Paid Google Apps account is required to use SSL. The
> > use of multiple domains is supported via the aliasing feature in
> > Google Apps.
>
> > If you are interesting in signing up to test this feature, please fill
> > in the form linked below.
>

> >https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF...

>
> > Currently we are testing on a limited basis and will not be able to
> > accept everybody who applies to the trusted tester program.
>
> > As with all trusted tester programs, documentation is a work in
> > progress.
>
> > This feature is still in testing and as such we would advise against
> > using this on production applications.
>
> > If you have any queries, please email google-appengine-ssl-

> > feedb...@google.com.

[Cayden Meyer]

Hi Everyone, 

SSL for Custom Domains is still undergoing testing and improvement. 

I do not have a timeline to announce at this point, but rest assured that this is a priority for the App Engine team and it is a feature we are committed to launching. 

Thanks,

Cayden Meyer

Product Manager, Google App Engine

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.

[Doug Anderson]

Thanks for the update Cayden.  It's reassuring to know SSL on custom domains is still alive and high priority with the GAE team.

I can certainly appreciate the desire and temptation to offer a nice, clean SNI solution.  However, I think today's client compatibility reality doesn't allow for an SNI solution.  The main culprits are pre-ICS Android and Blackberry clients more so than IE on Win-XP.  At least on Win-XP Chrome and FireFox are viable alternatives to IE.  Whereas Android incompatibility includes the Kindle Fire and the overwhelming majority of Android phones on the market today.  It just doesn't make sense for a modern website to deliberately disregard the certificate warnings its users will experience with those clients.  The warnings leave an unprofessional blemish on the site and likely leave the user confused and questioning the site's integrity and professionalism.

My hope is that Google will stick with the SNI path for possible future deployment but realize that VIP is the only practical approach at this point in time.  This means VIP would need to be offered at an affordable price point or perhaps even made available for free.  I can only imagine the cost and challenges involved with developing a robust VIP solution in the cloud environment.  However, every once in a while a feature is significant enough to overlook the NRE and do the right thing in lieu of trying to directly recoup costs.  I would argue that SSL on custom domains is such a feature.  A proper, affordable SSL solution promotes a secure web and benefits the GAE platform.

I wish SNI had been a part of the original TLS spec but unfortunately that didn't happen and now we are forced to wait several more years for significantly more incompatible clients to flush out of the ecosystem.  The alternative is to support SNI and pollute the web with certificate warnings when Android and Blackberry clients visit certain GAE sites.  I don't think anybody wants this and I hope Google does the right thing.

  - Doug Anderson