Yes, the connection between CloudFlare and Google is unencrypted (at the moment). But it doesn't defeat the point - it depends on what your threat model is.
If you are sending credit card #s to your backend, this link is a problem - it violates PCI requirements. For other data, it depends on your level of sensitivity. The probability of someone intercepting your data goes from "very high" at the browser to much, much lower at your servers. Even Google's SSL service likely terminates at some sort of border router and traverses their (private) network unencrypted. Anyone in the security business will tell you there is no 100% way to secure your system, only ways to reduce the risk. I'm sure that someone out there has real statistics to back this up, but the biggest threats to data security seem to be compromised machines, first-mile snooping (FireSheep), poorly secured infrastructure (default passwords), lost/unsecured laptops and backup tapes, and unscrupulous employees. Last-mile snooping is not what keeps me up at night. Then again, if your website is designed to coordinate civil disobedience in restrictive regimes, I would be a lot more concerned about the security of that last mile. I might not even consider GAE an acceptable hosting platform - there are a lot of employees at Google, and maybe one of them would take a big fat stack of cash (or a hero's welcome "back home") to sneak out a data dump. Security must be considered in context. Jeff On Tue, Apr 3, 2012 at 12:00 PM, Gwyn Howell <[email protected]> wrote: > I was getting excited until I got to the line "With GAE, you use the > “Flexible SSL” option instead of the “Full SSL” option. This provides > encryption between the browser and CloudFlare, but plain HTTP between > CloudFlare and Google.". Doesn't that defeat the object?! If it's only > encrypted as far as cloudflare your still vulnerable for those http requests > between cloudflare and app engine, right?! > > > On Tuesday, 3 April 2012 16:52:59 UTC+1, Jeff Schnitzer wrote: >> >> Or, if appropriate, use this: >> >> http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine >> >> (CF is re-investigating whether they can run the last-mile in SSL too) >> >> Jeff >> >> On Tue, Apr 3, 2012 at 7:09 AM, Gwyn Howell <[email protected]> >> wrote: >> > right. well as i'm sure your aware, ssl isn't available for custom >> > domains >> > on app engine. there is a trusted tester program running you may wish to >> > sign up >> > >> > >> > On Tuesday, 3 April 2012 12:04:55 UTC+1, Ruben D. Orduz wrote: >> >> >> >> The problem he is having is that secure connections are only through >> >> https://app.appspot.com and not through his custom domain. >> >> On Apr 3, 2012 6:51 AM, "Gwyn Howell" <[email protected]> >> >> wrote: >> >> > >> >> > not sure i fully understand, but if you are finding that all your >> >> > urls >> >> > are being directed to https then you may wish to check your app.yaml >> >> > file >> >> > for secure: always. >> >> > >> >> > Forgive me if I've misunderstood. >> >> > >> >> > >> >> > On Friday, 16 March 2012 10:03:47 UTC, msanztru wrote: >> >> >> >> >> >> Hello, >> >> >> >> >> >> We have added a custom domain to our appengine app. We followed the >> >> >> isntructions changed everything but something went wrong and we >> >> >> can't >> >> >> find the way to fix it. The thing is that in the google apps >> >> >> appengine >> >> >> tab the main url specified is https://appid.appspot.com. However, >> >> >> and >> >> >> that means all traffic from the domain mappings will be sent to the >> >> >> https url, and of course this won't work. I don't know how this >> >> >> https >> >> >> url ended up there as in the app engine admin console, the app url >> >> >> is >> >> >> http://appid.appspot.com. >> >> >> >> >> >> We haven't find the way to change this url. We have tried to disable >> >> >> this app in google apps but it didn't work, it stays there. >> >> >> >> >> >> This is quite urgent, so any help will be really appreciated!! >> >> >> >> >> >> Thanks in advance! >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "Google App Engine" group. >> >> > To view this discussion on the web visit >> >> > https://groups.google.com/d/msg/google-appengine/-/OCpFcT_0ys4J. >> >> > >> >> > To post to this group, send email to >> >> > [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group at >> >> > http://groups.google.com/group/google-appengine?hl=en. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Google App Engine" group. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msg/google-appengine/-/zBj62V4r1GsJ. >> > >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> > http://groups.google.com/group/google-appengine?hl=en. > > > On Tuesday, 3 April 2012 16:52:59 UTC+1, Jeff Schnitzer wrote: >> >> Or, if appropriate, use this: >> >> http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine >> >> (CF is re-investigating whether they can run the last-mile in SSL too) >> >> Jeff >> >> On Tue, Apr 3, 2012 at 7:09 AM, Gwyn Howell <[email protected]> >> wrote: >> > right. well as i'm sure your aware, ssl isn't available for custom >> > domains >> > on app engine. there is a trusted tester program running you may wish to >> > sign up >> > >> > >> > On Tuesday, 3 April 2012 12:04:55 UTC+1, Ruben D. Orduz wrote: >> >> >> >> The problem he is having is that secure connections are only through >> >> https://app.appspot.com and not through his custom domain. >> >> On Apr 3, 2012 6:51 AM, "Gwyn Howell" <[email protected]> >> >> wrote: >> >> > >> >> > not sure i fully understand, but if you are finding that all your >> >> > urls >> >> > are being directed to https then you may wish to check your app.yaml >> >> > file >> >> > for secure: always. >> >> > >> >> > Forgive me if I've misunderstood. >> >> > >> >> > >> >> > On Friday, 16 March 2012 10:03:47 UTC, msanztru wrote: >> >> >> >> >> >> Hello, >> >> >> >> >> >> We have added a custom domain to our appengine app. We followed the >> >> >> isntructions changed everything but something went wrong and we >> >> >> can't >> >> >> find the way to fix it. The thing is that in the google apps >> >> >> appengine >> >> >> tab the main url specified is https://appid.appspot.com. However, >> >> >> and >> >> >> that means all traffic from the domain mappings will be sent to the >> >> >> https url, and of course this won't work. I don't know how this >> >> >> https >> >> >> url ended up there as in the app engine admin console, the app url >> >> >> is >> >> >> http://appid.appspot.com. >> >> >> >> >> >> We haven't find the way to change this url. We have tried to disable >> >> >> this app in google apps but it didn't work, it stays there. >> >> >> >> >> >> This is quite urgent, so any help will be really appreciated!! >> >> >> >> >> >> Thanks in advance! >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "Google App Engine" group. >> >> > To view this discussion on the web visit >> >> > https://groups.google.com/d/msg/google-appengine/-/OCpFcT_0ys4J. >> >> > >> >> > To post to this group, send email to >> >> > [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group at >> >> > http://groups.google.com/group/google-appengine?hl=en. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Google App Engine" group. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msg/google-appengine/-/zBj62V4r1GsJ. >> > >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> > http://groups.google.com/group/google-appengine?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine/-/ozUMh_dpwQkJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
