...and as a follow-up to this thread, I'll say that unfortunately I can't comment on the roadmap for SSL, and probing for more information than is present in the blog post is probably not a useful path to follow. Since the post was not 100% determinate about certain time-frames, it's best to take that into account when planning your business or anticipating answers from customers. Some key things to know about RC4:
1. We support RC4 as some older clients (e.g. IE6) do not support more modern ciphers. 2. GAE via custom domains is getting the same treatment as www.google.com (as noted above in this thread) 3. Our servers prefer AES over RC4 so modern clients will use strong ciphers. 4. Modern clients use TLS_FALLBACK_SCSV to prevent downgrade attacks. If you require formal certification that we (Google Cloud Platform) adhere to PCI DSS (a common reason to wonder about RC4), this form <https://docs.google.com/a/google.com/forms/d/14G7TVGbiej6m_IoJp7vHI5Q4ObR590yeppMLG63A4u4/viewform> can be used to request that. Best wishes, Nick On Monday, September 21, 2015 at 1:47:49 PM UTC-4, Nick (Cloud Platform Support) wrote: > > Hey folks, > > The link posted by Kyle seems to be adequate discussion from an official > Google source as to the status of SSL on the platform. There are also docs > <https://cloud.google.com/appengine/docs/using-custom-domains-and-ssl?hl=en> > which discuss the App Engine SSL options. > > Best wishes, > > Nick > > On Sunday, September 20, 2015 at 1:50:49 AM UTC-4, PK wrote: >> >> Thanks Kyle, I run into this in my news feed after I sent this. I just >> tested www.google.com and also scores a B. >> >> There is probably some connection between Google’s own front end and GAE >> but I would like to hear from the GAE team what the plan is. I still think >> GAE should give more flexibility to the developer on how to configure SSL. >> >> On Sep 19, 2015, at 9:27 PM, Kyle Finley <[email protected]> wrote: >> >> PK, >> >> It looks like this issue will be resolved soon. >> >> Disabling SSLv3 and RC4 >> <http://googleonlinesecurity.blogspot.com/2015/09/disabling-sslv3-and-rc4.html> >> >> http://googleonlinesecurity.blogspot.com/2015/09/disabling-sslv3-and-rc4.html >> >> > [..] Because of these issues we expect to disable both SSLv3 and RC4 >> support at Google’s frontend servers and, over time, across our products in >> general, including Chrome, Android, our webcrawlers and our SMTP servers. >> >> Kyle >> >> On Friday, September 18, 2015 at 10:49:33 PM UTC-5, PK wrote: >>> >>> This has been reported in this public tracker about a year and a half >>> ago (see issue 10783 >>> <https://code.google.com/p/googleappengine/issues/detail?id=10783>). >>> Google has acknowledged the issue there but has never offered an official >>> response. It makes conversations with customers about security difficult. >>> Can somebody respond here and/or the bug tracker what the plans are to make >>> us look good in this test and hopefully more secure? >>> >>> (Before somebody jumps to offer Cloudflare, I know that Cloudflare or >>> some other front end might be an option but I do not want to have traffic >>> in the clear between that front end and Google, so I want a fix from >>> Google.) >>> >>> Thanks >>> >>> >>> >>> >>> PK >>> [email protected] >>> >>> >>> >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/google-appengine. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-appengine/10b1a641-4fc7-4765-9617-bee715218e4a%40googlegroups.com >> >> <https://groups.google.com/d/msgid/google-appengine/10b1a641-4fc7-4765-9617-bee715218e4a%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> PK >> [email protected] >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/fe399a0e-e85a-4a1a-bedd-780f77daad03%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
