Qualys SSL Test keeps rating Google App Engine sites with B
160 views
Skip to first unread message
PK
Sep 18, 2015, 11:49:33 PM9/18/15
to Google App Engine
This has been reported in this public tracker about a year and a half ago (see issue 10783). Google has acknowledged the issue there but has never offered an official response. It makes conversations with customers about security difficult. Can somebody respond here and/or the bug tracker what the plans are to make us look good in this test and hopefully more secure?
(Before somebody jumps to offer Cloudflare, I know that Cloudflare or some other front end might be an option but I do not want to have traffic in the clear between that front end and Google, so I want a fix from Google.)
Thanks
Kyle Finley
Sep 20, 2015, 12:27:51 AM9/20/15
to Google App Engine
PK,
It looks like this issue will be resolved soon.
It looks like this issue will be resolved soon.
Disabling SSLv3 and RC4 http://googleonlinesecurity.blogspot.com/2015/09/disabling-sslv3-and-rc4.html
> [..] Because of these issues we expect to disable both SSLv3 and RC4 support at Google’s frontend servers and, over time, across our products in general, including Chrome, Android, our webcrawlers and our SMTP servers.
> [..] Because of these issues we expect to disable both SSLv3 and RC4 support at Google’s frontend servers and, over time, across our products in general, including Chrome, Android, our webcrawlers and our SMTP servers.
Kyle
PK
Sep 20, 2015, 1:50:49 AM9/20/15
to google-a...@googlegroups.com
Thanks Kyle, I run into this in my news feed after I sent this. I just tested www.google.com and also scores a B.
There is probably some connection between Google’s own front end and GAE but I would like to hear from the GAE team what the plan is. I still think GAE should give more flexibility to the developer on how to configure SSL.
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/10b1a641-4fc7-4765-9617-bee715218e4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nick (Cloud Platform Support)
Sep 21, 2015, 1:47:49 PM9/21/15
to Google App Engine
Hey folks,
The link posted by Kyle seems to be adequate discussion from an official Google source as to the status of SSL on the platform. There are also docs which discuss the App Engine SSL options.
Best wishes,
Nick
The link posted by Kyle seems to be adequate discussion from an official Google source as to the status of SSL on the platform. There are also docs which discuss the App Engine SSL options.
Best wishes,
Nick
On Sunday, September 20, 2015 at 1:50:49 AM UTC-4, PK wrote:
Thanks Kyle, I run into this in my news feed after I sent this. I just tested www.google.com and also scores a B.
There is probably some connection between Google’s own front end and GAE but I would like to hear from the GAE team what the plan is. I still think GAE should give more flexibility to the developer on how to configure SSL.
On Sep 19, 2015, at 9:27 PM, Kyle Finley <kylef...@gmail.com> wrote:
PK,
It looks like this issue will be resolved soon.Disabling SSLv3 and RC4 http://googleonlinesecurity.blogspot.com/2015/09/disabling-sslv3-and-rc4.html
> [..] Because of these issues we expect to disable both SSLv3 and RC4 support at Google’s frontend servers and, over time, across our products in general, including Chrome, Android, our webcrawlers and our SMTP servers.KyleOn Friday, September 18, 2015 at 10:49:33 PM UTC-5, PK wrote:This has been reported in this public tracker about a year and a half ago (see issue 10783). Google has acknowledged the issue there but has never offered an official response. It makes conversations with customers about security difficult. Can somebody respond here and/or the bug tracker what the plans are to make us look good in this test and hopefully more secure?(Before somebody jumps to offer Cloudflare, I know that Cloudflare or some other front end might be an option but I do not want to have traffic in the clear between that front end and Google, so I want a fix from Google.)Thanks
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/10b1a641-4fc7-4765-9617-bee715218e4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Nick (Cloud Platform Support)
Sep 23, 2015, 1:53:36 PM9/23/15
to Google App Engine
...and as a follow-up to this thread, I'll say that unfortunately I can't comment on the roadmap for SSL, and probing for more information than is present in the blog post is probably not a useful path to follow. Since the post was not 100% determinate about certain time-frames, it's best to take that into account when planning your business or anticipating answers from customers. Some key things to know about RC4:
- We support RC4 as some older clients (e.g. IE6) do not support more modern ciphers.
- GAE via custom domains is getting the same treatment as www.google.com (as noted above in this thread)
- Our servers prefer AES over RC4 so modern clients will use strong ciphers.
- Modern clients use TLS_FALLBACK_SCSV to prevent downgrade attacks.
Best wishes,
Nick
Nick
Reply all
Reply to author
Forward
0 new messages