They are offering SSL free to all free dynos under the https://<foo>.herokuapp.com domain. If they offered free SSL for custom domains too, what's the incentive to upgrade to a paid dyno for applications that don't require a large amount of resources?
To be fair to Heroku, they have the right to make a profit. As is, it's amazing that they offer a fully free tier. If you don't like their policies, you are free to not use their services.
If they offered free SSL for custom domains too, what's the incentive to upgrade to a paid dyno for applications that don't require a large amount of resources?
This is exactly my point. The fact that companies are still bucketing "SSL" into "things we can charge extra for" rather than "things that should be the absolute minimum we provide" is irresponsible.
Plaintext on the public internet needs to go away in whole.
You do have a point. In fact, philosophically, you are correct. You are correct in the same way that the National Association of the Deaf was correct in filing a complain against UC Berkeley to make all of their publicly accessible course materials accessible (Berkeley, rather than captioning all of their materials, instead decided to take down all of their materials) [0].
But here's the thing: they are providing SSL for free for non-custom domains. Everything you can do with a custom domain can be done on the <foo>.herokuapp.com subdomain. You are intentionally choosing to use a custom domain. They define that as a feature worth charging for. No one is saying you must MITM your own application using something like Cloudflare. No one is saying you must use a custom domain. No one is saying you can't use the <foo>.herokuapp.com subdomain.
Heroku is not a non-profit/government organization. They are not under the obligation to advance the public good. In fact, as a publicly traded company (as a subsidiary of Salesforce), they're actually obligated to maximize revenues and profits.
Heroku is not a non-profit/government organization. They are not under the obligation to advance the public good.
No. And people are under no obligation to not criticize them for not doing so. That's the thing with obligations: they are the bare minimum one must do, but hardly a guide for what one should do.
In fact, as a publicly traded company (as a subsidiary of Salesforce), they're actually obligated to maximize revenues and profits.
In my opinion, even if it was true, people should avoid mentioning it out of sheer embarrassment for the mockery it makes of a presumably advanced society. But it's not even true!
And we end on the "maximize shareholder value" argument, the be-all end-all cop-out non-argument when a company is behaving harmfully.
You're correct, of course, and given the general libertarian mindset of HN, this is not a logically unreasonable stance to take. I don't even have a snarky "you'll be sorry in the future"-type parting shot to make because this is a niche of a niche we're talking about here.
I will just strike Heroku from the list of companies I will ever support and suggest my company and colleagues do the same. The same way I struck Startcom from that list after Heartbleed.
Hopefully, I change a few minds. Really all I can do.
I don't want to just jump all over you like some people are doing, because I think you make somewhat of a valid point (to be honest, I don't think I'm knowledgeable enough to have an opinion there). However, it's my understanding that you can SSL any app by default using their wildcard for free. As a private business, is it really so wrong for them to restrict the free, automated LE certs to just paid apps? If so, why?
Just in case it's not clear, these aren't rhetorical questions - genuinely interested in your answers.
you dont pay for SSL in this case. SSL is free. You pay for SSL on your domain. You can have SSL for free, if you let heroku advertise through your URL. Seems like a fair deal.
To be fair to Heroku, they have the right to make a profit. As is, it's amazing that they offer a fully free tier. If you don't like their policies, you are free to not use their services.