26

Does Google have to make significant infrastructure costs to support SSL on custom domains? Does it have to buy IPv4 address space or something? I'm not very familiar with this technology, and I don't understand why SNI/VIP costs $120/$1200 per year.

This post http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html claims that it's not CPU or network costs of SSL, and I believe you have to provide your own SSL certificate. So why is it so expensive to provide HTTPS support for GAE?

Edit: This questions seems to be quite popular, but as yet has not had a satisfying answer. I'm interested in the technology behind providing SLL on custom domains, and I don't think the answer is "Google likes money", given their enormous push towards SSL on many of their products, and encryption built-in to SPDY.

Further edit: A related/extended question would be "Why does the cost of SSL on custom domains not scale with the size of the app?". All other costs (bandwidth, number of instances, data storage etc.) scale as you grow. SSL on CD is all up front, and prohibitively expensive for small apps, though as people point out, fixed and therefore a very good deal for large apps. Does anyone know why they chose to charge like this?

Dijkstra
  • 2,490
  • 3
  • 21
  • 35
  • 1
    $120 per year is not expensive. – themihai Nov 08 '13 at 00:07
  • Actually these days SNI is free (the certificate is extra, but that's needed regardless of using GAE or not): https://cloud.google.com/appengine/docs/python/console/using-custom-domains-and-ssl#vip_versus_sni – Dan Cornilescu May 12 '16 at 15:22

4 Answers4

4

We announced the new pricing for SSL VIP at: http://googleappengine.blogspot.jp/2012/09/announcing-new-pricing-for-virtual-ip.html

Now VIP based SSL costs only $39/month.

We also say the following in the post:

Google App Engine SSL for Custom Domains goes above and beyond the basics of SSL by offering globally distributed SSL endpoints and built-in load balancing. Like App Engine in general, there is no need for ongoing system administration and maintenance.

Google App Engine SSL is not just a certificate storage, it also provides distributed endpoints and built-in load balancing. In other words, it is not one single server running apache with your certificate.

Hope this answer helps.

Takashi Matsuo
  • 3,406
  • 16
  • 25
  • Sorry, that only really half-answers it. Obviously it's nice to know the price of VIP is coming down (was announced after I asked the question). However GAE offers built-in load balancing anyway, so that shouldn't contribute to the cost of SSL. I still don't understand why my estimate of $10/year for some kind of SSL on a custom domain was off by an order of magnitude. – Dijkstra Sep 24 '12 at 11:44
  • The App Engine SSL service is as scalable, highly available, and secure as App Engine itself. I don't think one single server can handle tens of thousands of QPS. With App Engine SSL, you don't need to worry about redundancy of your system anymore. You also don't need to worry about upgrading OS or Apache anymore. – Takashi Matsuo Sep 24 '12 at 12:12
  • 1
    "you don't need to worry about redundancy of your system anymore" - are you saying that SSL provides something extra apart from the secure connection? Going from ordinary GAE to SSL Custom domain, I didn't think anything changes with SSL, no extra load balancing is done, right? I have no idea what my OS has to do with it. And anyway, anything that SSL does is already available to me, for free, on example.appspot.com. So why is it so costly? – Dijkstra Sep 24 '12 at 15:12
  • The endpoints needs to be redundant and scalable. The certificates should be deployed to those endpoints immediately. The users should be able to safely replace the certificate. It's totally different system from the normal appspot ssl. All of those system will keep up-2-date automagically. If you choose to build a reverse proxy for providing ssl connection by yourself, you will need to care about vulnerabilities of OS and HTTP server, scalability problem, and health of the hardware forever. If you can provide the same service for $10/year, seriously it's your business chance :) – Takashi Matsuo Sep 24 '12 at 15:57
3

I think that Google has had to make significant infrastructure changes in order to support SSL on GAE. This has been a long standing feature request so I for one am happy that it is finally here.

SSL was always supported on *.appspot.com URLs. Just not on your own domain name. The reason is not the 'computational' cost but the fact that for SSL to work the server that handles the requests for your app will need that SSL certificate.

So how does that scale when you've got a million of those machines? Not to mention the fact that you need to distribute the certificate everywhere. Then there is the problem that its not just your SSL certificate but one certificate per app that wants SSL and the fact that they will need to allow app owners to purchase, upload and replace the certificate.

The SNI/TLS option is cheaper but requires OS's and Browsers etc. to support it because this solution uses an extension called Server Name Indication (SNI) that allows Google to 'select' the SSL certificate dynamically based on that 'server name'. Older implementations of SSL will probably not support this.

The VIP option is more expensive because it assigns a dedicated IP address to your application. This solution does not require SNI. So I guess that if you want to be absolutely sure SSL will work everywhere, then go for VIP.

The cost of any feature is just another thing to consider in your business plan. I am not convinced that the amount you are referring to is going to be a show stopper for those that would really benefit from the feature.

Mo'in Creemers
  • 1,139
  • 8
  • 17
  • Thank you. I do not think it would affect businesses costs much, but it does limit it to professional uses only, not weekend web apps. I appreciate the problems of scale, but GAE is all about scaling, and all other costs scale with the size of your app. Why is the cost of a massively scaled SSL system forced on someone all at once, rather than as they scale? (I realise this is a separate question.) Thanks again. – Dijkstra Sep 25 '12 at 16:53
  • 1
    @Dijkstra Well, myweekendwebapp.appspot.com seems acceptable to me. I can only guess but I think Google's thoughts were that this feature is really meant for professional use. And it may be designed to be scalable on paper, who says it is in the real world? At this time they may not want everyone to jump onto the SSL 'wagon' all at once (especially the VIP one). – Mo'in Creemers Sep 25 '12 at 19:03
1

Foremost Google offers two kinds of SSL for custom domains.

  1. Server Name Indication (SNI). This is an extension of SSL where multiple domain can share the same IP but it's not supported by old broswers or windows XP (Not recomended for commercial applications) however this option is cheaper.
  2. Virtual IP (VIP). SSL certificates basically links a Domain to one IP, and two domains cant have the same IP, so yes google has to buy a Range of IP to support this feature.

But the more important reason for that prices is that SSL in custom domains is a "must to" for commercial applications so they take advantage of that.

Ma Jerez
  • 4,887
  • 3
  • 23
  • 21
0

It's just a business: cool optional features for cloud hosting are always expensive.

And

  • Yes, certificate price is not included
  • I'm not sure how does Google Frontend (their web server) works and how does it expensive in terms of CPU/memory certificate usage, especially as high load solution.
  • It took some time for them to implement the feature. And time is money, so maybe they just want their money back.
Vladimir Protasov
  • 262
  • 4
  • 13