Clarifying SSL: Google App Engine still doesn't support it, appspot.com does.

Google App Engine still doesn't support SSL

I'm seeing a lot of misinformation out there that Google App Engine has SSL support. It doesn't.

If you read Google's announcement from last month carefully, you will see that it is titled "Announcing HTTPS support for appspot.com", not "for Google App Engine" .

"What's the difference?", you may be wondering. It's quite big.

What google supports is SSL for subdomains for appspot.com. So, if you're happy with hosting your application only from your appspot.com subdomain, then you can use SSL in your application. For example, I have several simple open source apps that I host on Google App Engine, like opencountrycodes and isvat. Since I'm not worried about having custom domains for these, I host them on appspot.com subdomains (e.g., opencountrycodes.appspot.com). If I wanted to use HTTPS on these apps, I could and you could hit, for example, https://opencountrycodes.appspot.com to get to the secure version of the site.

The issue arises when you want to use your own domain for your App Engine application. The <head> conference web site, for example, resides at http://www.headconference.com. It also has a subdomain on appspot.com but I don't publicize that. Currently, there is no way I can use SSL on the Head Conference web site as Google App Engine only supports SSL for appspot.com subdomains (so, if the headconference subdomain on appspot.com was headconference.appspot.com, I could use SSL on that subdomain).

"So", I can hear you ask, "why don't you just use headconference.com for everything and headconference.appspot.com for the SSL connections?"

The answer: sessions and usability.

Take this example:

I want to use PayPal to process a payment. My user hits www.headconference.com, signs in, and starts the checkout process. I forward the user to PayPal and pass the secure URL of my notification script to PayPal (e.g., https://headconference.appspot.com/my/notification/handler/). When the user returns from PayPal, they are no longer on the headconference.com site, their session is no longer valid, and they need to sign in again.

In other words, this is not a usable solution for custom domains.

The problem is that implementing SSL on Google App Engine is not a trivial solution. One possible methodx that has been suggested several times in the forums is to use the Server Name Indication (SLI) extension to Transport Layer Security (TLS).

So what is the current state of SSL on Google App Engine? It's still not supported, with the exception of applications that are hosted only at appspot.com subdomains. In other words — given that most real-world applications, whether commercial or not, will want to be hosted under their own domains — SSL is still not supported for real-world applications on Google App Engine.

Comments