...and as a follow-up to this thread, I'll say that unfortunately I can't comment on the roadmap for SSL, and probing for more information than is present in the blog post is probably not a useful path to follow. Since the post was not 100% determinate about certain time-frames, it's best to take that into account when planning your business or anticipating answers from customers. Some key things to know about RC4:
1. We support RC4 as some older clients (e.g. IE6) do not support more modern ciphers. 2. GAE via custom domains is getting the same treatment as www.google.com (as noted above in this thread) 3. Our servers prefer AES over RC4 so modern clients will use strong ciphers. 4. Modern clients use TLS_FALLBACK_SCSV to prevent downgrade attacks. Best wishes, Nick On Friday, September 18, 2015 at 11:49:33 PM UTC-4, PK wrote: > > This has been reported in this public tracker about a year and a half ago > (see issue 10783 > <https://code.google.com/p/googleappengine/issues/detail?id=10783>). > Google has acknowledged the issue there but has never offered an official > response. It makes conversations with customers about security difficult. > Can somebody respond here and/or the bug tracker what the plans are to make > us look good in this test and hopefully more secure? > > (Before somebody jumps to offer Cloudflare, I know that Cloudflare or some > other front end might be an option but I do not want to have traffic in the > clear between that front end and Google, so I want a fix from Google.) > > Thanks > > > > > PK > [email protected] > > > > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/2ef8cd51-7c68-4522-b133-f8c9e8a78499%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
