SSL expensive, why?
Hi,
i’m asking to Fastly community to share some experience about how to setup a cheaper and production ready SSL configuration.
I have many website hosted on different domains (a.com, b.com, c.com, d.com) and i want to have for each one SSL certificate in order to use HTTP2 and ServerPush.
From what i understood, Fastly support TLS but I need to pay $100 / month.
This means about $600 in my scenario since I have 6 domains.
The question is:
- There are some good and cheaper way to enable HTTP2 on Fastly?
- Why Fastly just don’t use Let’s Encrypt library?
- Amazon EC2 is able to support certificate generation for free, why Fastly is so expensive?
-
i want to have for each one SSL certificate in order to use HTTP2 and ServerPush. From what i understood, Fastly support TLS but I need to pay $100 / month. This means about $600 in my scenario since I have 6 domains.
There would be a number of ways to reduce this from $600. By talking to a Sales person (via sales@fastly.com), you're likely to be able to do this by either reducing the amount you pay per certificate or changing to using a hosted certificate with the domains added as SANs. Of course, whatever the cost, it isn't as low as free, so if that's what you're looking to get, it doesn't make sense to start the discussion.
There are some good and cheaper way to enable HTTP2 on Fastly?
HTTP/2 needs TLS, and if you want TLS + your own custom domain on Fastly you'll have to choose either SAN entries on a shared certificate or a hosted certificate, as mentioned here.
Why Fastly just don’t use Let’s Encrypt library?
I'm sure you'll appreciate there's more to it than just using Let's Encrypt! Whatever method we use for TLS certificate provisioning, there still has to be methods of keeping them up to date and synchronizing them across all our servers, keeping everything secure and so on. Thus the just soon becomes something that is a more involved undertaking.
Amazon EC2 is able to support certificate generation for free, why Fastly is so expensive?
EC2 is a platform for provisioning server instances in the cloud. We're a CDN, which is a lot different, so that's not comparing similar things. I guess the point you wanted to make is that if you go to some other CDN providers you may get a lower price for TLS certificates. Perhaps that is true, but you need to evaluate all features, performance and other needs (such as good support!) and see which really has the lower cost over time. If something is completely free but when you have a problem with it you have to struggle without assistance because support is either a Google search or nothing, then it's not really 'free' (unless your time is worth nothing).
Having said all that, pricing of our TLS offerings is something we've been looking at and we will strive to keep our offering competitive over time.
-
I want to explain you exactly what I think.
We are developing a service to improve security and analysis: I don't want to share our website there. Our plan - like every startup - is to made a lot of customers; let's say 1.000 customer monthly or more.
We want to use Fastly, so we can route requests and use HTTP2 and Push.
Our offer is $250/year maybe in the future $500/year with some addOn we are working on. The original idea was to charge extra-fee for HTTPS. So we will charge $500/year for our service and $1.200 / year for Fastly TLS certificate.
1200 USD for domain means 12.000 USD for 10 domains.
How i can make my business growth if Fastly charge me 600% more then what i charge to my customers?
Actually we have 12 Customers in beta, hosted on EC2 with ACM (Automatic Certificate Manager). As a note, Amazon is able to support HTTPS on CloudFront that is what we are doing right now.
I can try to reach out your sales team - but I'm not sure if there are a solution...
-
Hi Justin,
[quote="justin, post:2, topic:1147, full:true"] I'm sure you'll appreciate there's more to it than just using Let's Encrypt! Whatever method we use for TLS certificate provisioning, there still has to be methods of keeping them up to date and synchronizing them across all our servers, keeping everything secure and so on. Thus the just soon becomes something that is a more involved undertaking. [/quote]
It’s true that providing SSL “for free” does cost something to the provider, whether it’s ACM or a competing CDN. However, the practise of securing connections by default is slowly becoming the industry standard, and customers begin to expect SSL to be included in the price “for free”.
[quote="justin, post:2, topic:1147"] Having said all that, pricing of our TLS offerings is something we’ve been looking at and we will strive to keep our offering competitive over time. [/quote]
That’s good, thanks for for the info! Let’s hope something comes out of it.
-
It would be good to know how Shopify do it... they are a client of Fastly and they use Let's Encrypt? I appreciate the scale they operate at is vastly higher than many others, but presumably this means Fastly have some means of supporting this?
Shopify starts at $29/mo and that includes SSL... so whilst I appreciate it's not free for Fastly to implement auto-renewal etc, surely it's feasible that this should be at most $10/mo/domain?
-
Fastly has been promising lets encrypt support for quite some time now. I can't see why this delay on delivering as this is practically standard at this point.
Saying that not being able to give appropriate support is just a very cheap excuse in my opinion. At worst you can just provide it as is for whoever wants to use it even without "support". Later once you can finally provide support just charge for it. It would even be acceptable to be charged something like 10$ for letsencrypt "addon".
As time passes and I read the replies to these requests I am afraid to say but it starts to look like fastly is just trying to hold to this cash cow for as long as possible. This does not seem like a "good support". You current prices for TLS are just way higher than competition.
The only thing that keeps me as a customer is your api and instant invalidation. One would say that if you managed to provide instant invalidation it should be a matter of days to implement lets encrypt support.
Safety should be a standard that all of us provide to our customers. Being charged these prices for it is just immoral.
-
Hi Joao,
Thank you for your comments. We appreciate there is demand for Lets Encrypt certificates at the edge and this is something we are working on. If you've been using our TLS products continuously you'll have noticed that things are improving (up front as well as in the background). On the shared Fastly certificates side, this is now automated for customers who can provision SANs via the UI. With hosted certs, the rollouts have increased in speed. Essentially these improvements are incremental steps towards a greater goal that we're working on.
Lets Encrypt can already be used with our service from Fastly to the origin and also, technically on the Fastly Edge out to clients via our current process. Note it would still fit within our pricing for a hosted certificate service and you'd need to upload the certificate to us every 90 days via the current means.
One of the most important requirements we have at Fastly is stability and performance. So a system we build out needs to be stable, performant and have capacity to meet expectations. With Let Encrypt you can generate a lot of separate certificates and they need to be rolled out on our edge network and maintained whilst being performant. So we take our time to make sure we have this working properly before going to market with integration as important as this.
There are already public talks about us having the ability to do this to a degree of scale here: https://vimeo.com/291583730 which gives some idea as to capability and direction we're heading.
With TLS 1.3 and QUIC, 2019 is looking to be an exciting year so I hope you'll stick with us while we look to release a solid offering to market in the future.
We recommend that if you have any further questions about TLS certificate usage or cost to speak with sales@fastly.com / your account manager and they can review your current offering / check if we have suitable BETA's to join.
-
Richard, KeyCDN had native letsencrypt integration for years now. We are in the process of switching to new CDN atm and looked at fastly, but one serious drawback was manually renewing/uploading certs every 90 days. While this could be possibly automated via API (like what we did on MaxCDN) years ago, haven't looked at fastly API yet, it still requires writing custom scripts. Nice thing about KeyCDN is that they handle letsencrypt renewals automatically. This is a killer feature since everything is TLS these days. You should really add native letsencrypt integration.
Please sign in to leave a comment.
Comments
8 comments