What are the costs of SSL on custom domains on GAE? [closed]

Question

Does Google have to make significant infrastructure costs to support SSL on custom domains? Does it have to buy IPv4 address space or something? I'm not very familiar with this technology, and I don't understand why SNI/VIP costs $120/$1200 per year.

This post http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html claims that it's not CPU or network costs of SSL, and I believe you have to provide your own SSL certificate. So why is it so expensive to provide HTTPS support for GAE?

Edit: This questions seems to be quite popular, but as yet has not had a satisfying answer. I'm interested in the technology behind providing SLL on custom domains, and I don't think the answer is "Google likes money", given their enormous push towards SSL on many of their products, and encryption built-in to SPDY.

Further edit: A related/extended question would be "Why does the cost of SSL on custom domains not scale with the size of the app?". All other costs (bandwidth, number of instances, data storage etc.) scale as you grow. SSL on CD is all up front, and prohibitively expensive for small apps, though as people point out, fixed and therefore a very good deal for large apps. Does anyone know why they chose to charge like this?

Answer 1

We announced the new pricing for SSL VIP at: http://googleappengine.blogspot.jp/2012/09/announcing-new-pricing-for-virtual-ip.html

Now VIP based SSL costs only $39/month.

We also say the following in the post:

Google App Engine SSL for Custom Domains goes above and beyond the basics of SSL by offering globally distributed SSL endpoints and built-in load balancing. Like App Engine in general, there is no need for ongoing system administration and maintenance.

Google App Engine SSL is not just a certificate storage, it also provides distributed endpoints and built-in load balancing. In other words, it is not one single server running apache with your certificate.

Hope this answer helps.

Answer 2

I think that Google has had to make significant infrastructure changes in order to support SSL on GAE. This has been a long standing feature request so I for one am happy that it is finally here.

SSL was always supported on *.appspot.com URLs. Just not on your own domain name. The reason is not the 'computational' cost but the fact that for SSL to work the server that handles the requests for your app will need that SSL certificate.

So how does that scale when you've got a million of those machines? Not to mention the fact that you need to distribute the certificate everywhere. Then there is the problem that its not just your SSL certificate but one certificate per app that wants SSL and the fact that they will need to allow app owners to purchase, upload and replace the certificate.

The SNI/TLS option is cheaper but requires OS's and Browsers etc. to support it because this solution uses an extension called Server Name Indication (SNI) that allows Google to 'select' the SSL certificate dynamically based on that 'server name'. Older implementations of SSL will probably not support this.

The VIP option is more expensive because it assigns a dedicated IP address to your application. This solution does not require SNI. So I guess that if you want to be absolutely sure SSL will work everywhere, then go for VIP.

The cost of any feature is just another thing to consider in your business plan. I am not convinced that the amount you are referring to is going to be a show stopper for those that would really benefit from the feature.