[yunolisten]

Shame on them for not giving notice and a proper explanation of the change. They were vastly under reporting the cost of providing the service. Consider that they are a business.

Shame on you for not using resumable TLS sessions/Keep alive. You're hammering their infrastructure. The change in how they meter usage is seeing you having to compensate them for the resource they provide you.

[awjr]

Be very careful here. The developer may not have used TLS BUT any failed authorisation attempts are also counted in the bandwidth.

So a bot net could absolutely wreck your credit card by just repeatedly trying to access your API with invalid credentials.

[yunolisten]

> So a bot net could absolutely wreck your credit card by just repeatedly trying to access your API with invalid credentials.

You could argue that for pretty much anything being hosted, anywhere.

[stemuk]

No, because most self-hosted services are 10-20x cheaper than comparable SaaS offerings. In the realtime space Firebase is particularly known for being really expensive for the scalable plans (blaze plan).

[yunolisten]

> No, because most self-hosted services are 10-20x cheaper than comparable SaaS offerings.

This has nothing to do with the fact that it could be hit by a botnet, as per the exact point I commented on, could 'wreck your card', it's simply a question of scale.

[kuschku]

No. Most self-hosted services have no bandwidth costs, at all.

Or they have bandwidth costs around a dollar per terabyte. Which, even when maxing your connections, would always be below your actual server costs.

[yunolisten]

If you read the fine print of the ones with "no bandwidth costs" you'll find that service becomes throttled after a certain level of usage. These are businesses, they have to make money to operate, they're not in this for charity

[Mithaldu]

Absolutely no shame on the author for something that can be easily overlooked, wasn't documented and not reported by any tool.

[yunolisten]

Agreed in part, however TLS Tokens and Keep alive aren't specific to this vendor... it's something that the author should be doing anyway. If they were to self host rather than contract out the underlying service upon which they depend they may have figured this out sooner.