I began with a set of VPSes in Japan, but actually found connection to west-coast US much better. I think a lot of locals use nearby VPSes as proxies (I know I do), and so connections, particularly https, seem to be getting throttled and blocked more often. I got blocked due to someone else on my same IP range -- didn't bode well.
Serving through CDN, I see sub-1-second page loads over 3G to W coast US. All assets will be served from CDN edge locations so it should be OK. How that scales to full-time trading will be the real test though.
For comparison, BTCChina, when not behind CloudFlare, seems to be on an east-coast Linode.
i had horrible experiences with running us-based services to the mainland. but what you say about vpses and cdns makes a lot of sense. i've only just started using maxcdn myself and haven't been able to run any mainland tests just yet.
i stress location and performance, but it really depends on what you're offering. basic trading should be fine, but if you're offering live charts and apis, then it could become a problem when serving the mainland's non-vpn userbase
(especially if you're competition IS in mainland -- YOUR service will seem slow and spotty). but i'm with you, when i'm there i have 3 private vpns in the us, eu and sg and just use the one that's giving me the best performance at the time.
For the Bitcoin server -- I looked; we began with a self-hosted solution. However, the only secure way I am really comfortable with is a dedicated server under my own control -- even whole-disk encryption means nothing on a VPS. The intermediate code is relatively backend-agnostic, so I can always go back to that route if needs be. Will possibly be adding alt currencies down the road, so would need to self-host anyway. I think the biggest draw for blockchain.info is that we plan to market it as a secure solution -- are new users more likely to trust a(nother) new exchange, or one of the biggest players on the block? I know where my money would go. It will help me sleep at night too...
i don't have any experience with the blockchain.info api, so what i know is purely from outside observation, but i just assumed so many people used the api for its "convenience" and "reliability" not so much for its security. imo security is still very much localized to your transaction server. i assume the exchange you've built will be automated for the most part, which means you will need to store those api keys on the server and at some point they will need to be
unencrypted and then transmitted to the api (which will probably be via ssl). the point right
before transmission will be the weakest link in your security chain. if that gets compromised, blockchain can't help you.
i'm currently documenting my own experiences with enterprise-level bitcoin security and will hopefully have it online sooner than later for anyone to review and comment. there's tons and tons of info online about how to secure bitcoin (but it mainly applies to users not busineses). the one thing i would like to say to you (something that i've never seen mentioned) is to make sure you install an intrusion detection system like
OSSEC. if you've employed an outside security firm GREAT!, otherwise use something like
OpenVAS for penetration testing. both are open-source and very well supported
there are many side-channel attacks, but these 2 tools will at least cover the obvious and and alert you when attention is needed. paper wallets, hardened passwords, etc, etc, are a given.
i wish you the best of luck and look forward to the release