Thanks for the update Cayden. It's reassuring to know SSL on custom domains is still alive and high priority with the GAE team.
I can certainly appreciate the desire and temptation to offer a nice, clean SNI solution. However, I think today's client compatibility reality doesn't allow for an SNI solution. The main culprits are pre-ICS Android and Blackberry clients more so than IE on Win-XP. At least on Win-XP Chrome and FireFox are viable alternatives to IE. Whereas Android incompatibility includes the Kindle Fire and the overwhelming majority of Android phones on the market today. It just doesn't make sense for a modern website to deliberately disregard the certificate warnings its users will experience with those clients. The warnings leave an unprofessional blemish on the site and likely leave the user confused and questioning the site's integrity and professionalism. My hope is that Google will stick with the SNI path for possible future deployment but realize that VIP is the only practical approach at this point in time. This means VIP would need to be offered at an affordable price point or perhaps even made available for free. I can only imagine the cost and challenges involved with developing a robust VIP solution in the cloud environment. However, every once in a while a feature is significant enough to overlook the NRE and do the right thing in lieu of trying to directly recoup costs. I would argue that SSL on custom domains is such a feature. A proper, affordable SSL solution promotes a secure web and benefits the GAE platform. I wish SNI had been a part of the original TLS spec but unfortunately that didn't happen and now we are forced to wait several more years for significantly more incompatible clients to flush out of the ecosystem. The alternative is to support SNI and pollute the web with certificate warnings when Android and Blackberry clients visit certain GAE sites. I don't think anybody wants this and I hope Google does the right thing. - Doug Anderson On Sunday, April 22, 2012 7:01:22 PM UTC-4, Cayden Meyer wrote: > > Hi Everyone, > > SSL for Custom Domains is still undergoing testing and improvement. > > I do not have a timeline to announce at this point, but rest assured that > this is a priority for the App Engine team and it is a feature we are > committed to launching. > > Thanks, > > Cayden Meyer > Product Manager, Google App Engine > > On 20 April 2012 23:54, James Gilliam <[email protected]> wrote: > >> How about some status? >> >> On Mar 28, 3:34 pm, Kaan Soral <[email protected]> wrote: >> > What is the current status of SSL for Custom Domains, when can we >> expect it >> > in production? >> > >> > >> > >> > >> > >> > >> > >> > On Monday, October 17, 2011 11:13:14 AM UTC+3, Cayden Meyer wrote: >> > >> > > Hey everyone, >> > >> > > I am pleased to announce that we are accepting signups for the SSL for >> > > custom domains Trusted Tester Program. This will allow you to serve >> > > secure traffic for your App Engine application from your own >> > > domain(https://your.domain.com) rather than your appspot.com domain >> > > (https://your-app-id.appspot.com). >> > >> > > We will be offering two types of SSL service, Server Name Indication >> > > (SNI) and Virtual IP(VIP). SNI will be significantly less expensive >> > > than VIP when this service is fully launched, however unlike VIP it >> > > does not work everywhere SSL is supported, notably it is not supported >> > > by IE and Safari on Windows XP. Multiple certificates are supported by >> > > SNI, while the VIP service only supports a single certificate per >> > > virtual IP address. Wildcard certificates and certificates with >> > > alternate names are supported by both SNI and VIP. >> > >> > > Either a Free or Paid Google Apps account is required to use SSL. The >> > > use of multiple domains is supported via the aliasing feature in >> > > Google Apps. >> > >> > > If you are interesting in signing up to test this feature, please fill >> > > in the form linked below. >> > >> > >https://docs.google.com/a/google.com/spreadsheet/viewform?formkey=dHF. >> .. >> > >> > > Currently we are testing on a limited basis and will not be able to >> > > accept everybody who applies to the trusted tester program. >> > >> > > As with all trusted tester programs, documentation is a work in >> > > progress. >> > >> > > This feature is still in testing and as such we would advise against >> > > using this on production applications. >> > >> > > If you have any queries, please email google-appengine-ssl- >> > > [email protected]. >> > >> > > Cheers, >> > >> > > Cayden Meyer >> > > Product Manager, Google App Engine >> > > Blogger:http://googleappengine.blogspot.com >> > > Reddit:http://www.reddit.com/r/appengine >> > > Twitter:http://twitter.com/app_engine >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/2yI88UkFaKkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
