How-to for SSL

21 views
Skip to first unread message

Filip

unread,
Apr 14, 2008, 4:08:05 AM4/14/08
to Google App Engine
Does anybody have any experience using secure connections from the
Google App Engine. I understand it currently does not support SSL, but
I need to upload some data to do tests and I need an SSL encrypted
transfer.

Is there a way of using SSL anyway, and perhaps tell the browser to
ignore the fact that the Google certificate URL does not match the
appspot.com url?

Any help is greatly appreciated !

hads

unread,
Apr 14, 2008, 5:40:10 AM4/14/08
to Google App Engine
That's not really the way SSL works. App Engine not supporting SSL
really does mean that you can't use SSL.

hads

Filip

unread,
Apr 14, 2008, 5:56:47 AM4/14/08
to Google App Engine
Hads,

So how would I transmit encrypted data from the browser to the App
Engine servers using SSL?

Filip.

Brett Morgan

unread,
Apr 14, 2008, 5:59:04 AM4/14/08
to google-a...@googlegroups.com
I'd suspect the best bet would be to wait until full release and pay
for the commercial version that comes with SSL.

=)

Filip Verhaeghe

unread,
Apr 14, 2008, 6:05:39 AM4/14/08
to google-a...@googlegroups.com
I'll take the second best bet then... ;-)
 
I'll certainly be willing to pay for the commercial version that comes with SSL and many terrabytes of data storage. But in the meanwhile, I can't upload test data either, I can't do our own beta testing phase, and that is a big problem.
 
Any other suggestions on how to do SSL at this time?
 
Thanks,
Filip.

Brett Morgan

unread,
Apr 14, 2008, 6:08:41 AM4/14/08
to google-a...@googlegroups.com
SSL by it's nature requires support at both client and server. There
is no support on the server. Thus you can't do it.

My question is why you need ssl over data being seeded in the db.
Surely you can live with dummy data during app development, yeah?

Filip Verhaeghe

unread,
Apr 14, 2008, 6:18:52 AM4/14/08
to google-a...@googlegroups.com
That really depends on the content of the data sample. This isn't a random bunch of strings or numbers. There are loads and loads of dependencies between the data (and I don't mean relational JOINs).
So crafting a set of data takes a lot of work, it is just much easier to upload a (reduced) actual data set.
 
Besides, allowing beta customers interact with a limited set of their own data is extremely useful to test if we can actually build the required features with the App Engine.
 
Naturally, SSL requires support from the server, but does App Engine make SSL connections impossible, or does it just use the wrong certificate?

Brett Morgan

unread,
Apr 14, 2008, 7:17:34 AM4/14/08
to google-a...@googlegroups.com
It doesn't support SSL at all at this time.

On Mon, Apr 14, 2008 at 8:18 PM, Filip Verhaeghe

matt wilbert

unread,
Apr 14, 2008, 9:02:37 AM4/14/08
to google-a...@googlegroups.com
If the problem is just getting the data into the environment, rather than secure user sessions, you could just encrypt the data and send it, then decrypt it once it gets there.  You would have to do that in small chunks, obviously.  If I had to do it, I'd write something that exported tables an encrypted row at a time via http, and then put a decryption routine in the server.

Yes, you would have a key exchange problem, but (for instance) you could send or fetch a decryption key up via a different path, which should be reasonably secure.   There are also supposedly pure python public key systems out there, but I haven't used them, nor have I tested them inside the AppEngine sandbox.

Matt

Filip Verhaeghe

unread,
Apr 14, 2008, 9:13:40 AM4/14/08
to google-a...@googlegroups.com
Hi Matt,
 
Thanks for the suggestion. I'm planning on doing something along those lines.
 
Still, I need secure user sessions too, and I'm even thinking of building a trivial custom browser that sends the content through a decryption before showing it to the user. Any kind of SSL support would obviously be a lot better.
 
Filip.
 

matt wilbert

unread,
Apr 14, 2008, 9:24:46 AM4/14/08
to google-a...@googlegroups.com
Yes, standard is better.

Maybe you could make a decrypting  proxy server; in my opinion that would be easier than a browser.

Matt

Cuong Tran

unread,
Apr 14, 2008, 2:15:44 PM4/14/08
to google-a...@googlegroups.com
I think Hads made it clear: you can not!

> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google
> Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com
> For more options, visit this group at http://groups.google.com/gro

Filip Verhaeghe

unread,
Apr 15, 2008, 3:14:31 AM4/15/08
to google-a...@googlegroups.com
Well, let's hope Google catches up with its competitors quickly then!
 
Right now, I have the option of sending my data to Google App Engine's competitors, Microsoft SSDS or Amazon SimpleDB, both of which have a secure database connection. Microsoft SSDS uses SSL. Clearly, it can be done.
 
But Google currently has the nicest integrated application hosting environment that develops and scales easiest (for now at least until April 23). Google is teaming up this week with Salesforce to get a better grip on the enterprise market. Why does it prevent developers from using App Engine in busines environments? I do understand the feature might be only for paying users, but I don't see the relevance of this. It is still going to be needed in a beta phase. I can convince customers to participate in beta testing my software, and that they should trust Google with their data. I can even get away with using the *.appspot.com domain during the beta phase. But I can't say I'm going to send data in cleartext over the Internet.
 
Filip.

 

Brett Morgan

unread,
Apr 15, 2008, 3:44:07 AM4/15/08
to google-a...@googlegroups.com
This is early access stuff, and i don't honestly feel that the other
teams you have nominated are really competitors with GAE in terms of
stupidly scalable webapp building solutions.

Aaron Krill

unread,
Apr 15, 2008, 3:52:59 AM4/15/08
to google-a...@googlegroups.com
I think SSL is an important part of any webservice, though I agree it isn't crucial at this point. Right now AppEngine is for development and testing purposes, meaning it is NOT PRODUCTION READY and as such should not be trusted or used for any real-world purposes. Development should never require SSL as you should never be transmitting private data during development.

It still would be nice to know what Google will be doing for SSL. They'll probably charge a yearly fee for an SSL cert or something later on after the beta.

Filip Verhaeghe

unread,
Apr 15, 2008, 3:53:15 AM4/15/08
to google-a...@googlegroups.com
Brett, don't get me wrong, I agree with you on both counts. I really love the approach Google is taking on this, and it is way better than other approaches so far.
Google App Engine can improve on security, but the other guys certainly have serious catching up of their own to do.
I'm just really blocked on this, and its annoying, because stupidly scalable is exactly what I need.
 
Filip.
 

Brett Morgan

unread,
Apr 15, 2008, 3:58:43 AM4/15/08
to google-a...@googlegroups.com
You really shouldn't be developing with production data. Production
data almost never has the range of edge cases that you need to push
your application. That, and I suspect, any current data you have is
going to structured in a relational manner, and thus is going to hurt
you performance wise.

It would probably help you to develop from scratch using a DataStore
friendly data format and then worry about transforming your production
data as a another step once you are happy with what you have
developed. I always have a button in my development app that cleans
the database and regenerates test data for me, so that i can always
reproduce errors easily, and not worry about "running out" of data.

On Tue, Apr 15, 2008 at 5:53 PM, Filip Verhaeghe

Reply all
Reply to author
Forward
0 new messages