Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).
If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
That's sort of the opposite scale to what the (greyhat) security community would expect, though. Try tacking an HTML5 scroller (with an original SID composition) onto the end of the announcement, crediting the researcher. ;)
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.
I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.
Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).
We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).
We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.
I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.
The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
Probably needs some adjustment or moderator intervention in the near term. I just tried a moment ago; you can still submit a pages.github.com URL and HN will mark the domain as github.com, but it will redirect to github.io when you follow the link.
When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?
EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.
You create a repo named username.github.io (eg., pkamb.github.io). Put static files in it, and they will become available automatically. More information here: https://help.github.com/categories/20/articles
Doesn't it seem kind of crazy that you have to sort through an FAQ to get started? Why isn't there a big call to action button that says "Create a Page"?
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: http://nightworld.github.com/odlnorth just 404's
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"
i.e., Phishers, no need to change your email templates!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.
Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
I like saas companies so much more than traditional ones largely because they offer support effectively.
Test case: Try to find the number to call to replace your bluetooth headset.
I'm not sure that I understand this statement, could you elaborate?
I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)
Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.
I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.
Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:
http://homakov.blogspot.com/2013/03/hacking-github-with-webk...
I think he deserves being mentioned in the github's post.
Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
1 reply →
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).
If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
github is business after all — i think they just forgot about me/my post. also they told me previously moving to a new domain is an old idea.
" i think they just forgot about me/my post"
If you found an exploit and sold it to someone, you would be richer and they wouldn't forget you :)
We've got a list of security researchers who have disclosed vulnerabilities to us responsibly (including Homakov) on our help site: https://help.github.com/articles/responsible-disclosure-of-s...
That's sort of the opposite scale to what the (greyhat) security community would expect, though. Try tacking an HTML5 scroller (with an original SID composition) onto the end of the announcement, crediting the researcher. ;)
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.
I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.
Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).
We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).
We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.
Interesting that .me is already considered as being old-fashioned. It only launched a few years ago... :)
Now if we could only get Google to see .io as a "generic" TLD: https://iwantmyname.com/blog/2012/08/dear-google-please-add-...
4 replies →
You guys should file to have a 'hub' TLD added, then you'd have the ultimate domain - git.hub
2 replies →
I have to admit, .io is probably one of the best geeky TLD's out there, so I can't fault you really. It just seems kind of trendy is all.
> without sounding like we were trying to make a mid-90's Personal Home Page Product™
That's not a dig on PHP is it? :)
5 replies →
FWIW, I have git.to if you're interested in taking it.
3 replies →
I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.
The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.
Isn't the Columbian government intentionally doing this to .co?
May I interest you in the .src project instead then? ;o) http://dot-src.info
Hardly anyone uses .info but I much prefer it vs. going to any country tld.
I think that no one uses because it sounds spammy. Maybe because spammers rushed to buy a lot of .info domains and stuff with trash content.
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
Probably needs some adjustment or moderator intervention in the near term. I just tried a moment ago; you can still submit a pages.github.com URL and HN will mark the domain as github.com, but it will redirect to github.io when you follow the link.
I really fail to see why HN doesn't display the subdomain in the submission. Is there a reason for this?
4 replies →
Misleading subdomains is one of the reasons I created my own Chrome extension for Hacker News, Autobahn.
You can download it at:
http://vlad.github.com/autobahn
Oh wait, I mean http://vlad.github.io/autobahn :)
Looks useful, will give it a try.
(I would remove the autoplay=1 on your video with music as it's pretty annoying when you open in a background tab)
When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?
EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.
You create a repo named username.github.io (eg., pkamb.github.io). Put static files in it, and they will become available automatically. More information here: https://help.github.com/categories/20/articles
There's also an "automatic page generator" button if you go to your repository settings, where you can even pick from pre-designed themes :)
https://help.github.com/categories/20/articles
Doesn't it seem kind of crazy that you have to sort through an FAQ to get started? Why isn't there a big call to action button that says "Create a Page"?
4 replies →
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
The same security issues shouldn't occur on gist.github.com as you can't actually run any code there.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: http://nightworld.github.com/odlnorth just 404's
Is this an oversight or am I missing something?
That's a bug; we're looking into it. Thanks!
From what I understand, this is the same reason Google uses googleusercontent.com
But Google's domain name isn't misleading. github.io still gives the impression of github-backed content.
well you know github is a.. hub.. of user content in git repositories.
Will github pages finally support SSL?
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.
Excellent move on GitHub's part here.
i won't work in popular browsers. subdomain is another origin and passwords cannot be stolen
Is that why http://litecoin.org/ is down?
Looks like it, yeah. You can just go to http://coblee.github.io/litecoin in the meantime though.
Thanks, they same to have fixed it in the meantime.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"
i.e., Phishers, no need to change your email templates!
"As a general rule, it's not possible to securely allow arbitrary user-provided content on a subdomain."
This rule is also good to keep in mind when choosing a domain for non-production environments!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.
Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
The docs for user pages appear to have been auto-rewritten to name the repository with a .io suffix, but the cited URL doesn't seem to work.
See https://help.github.com/articles/user-organization-and-proje... , click the defunkt demo link.
Fixed. Thanks for pointing it out, I thought I got them all.
I like saas companies so much more than traditional ones largely because they offer support effectively. Test case: Try to find the number to call to replace your bluetooth headset.
This is in turn nice for people using .io domains, the weight of Github's many blogs and official project pages will lend trust to the TLD.
I'm not sure that I understand this statement, could you elaborate?
I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)
Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.
Remember to migrate the threads if you are using Disqus (Admin -> Tools -> Migrate Threads -> Start Crawler).
This change just reset all the Tweets and G+ count for my project to 0. Is there a way to claim those back?
No one thought about pages.github.com?
That does not solve the security issues that they're looking to mitigate.
I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com.
3 replies →
What's next aside from trendy hipster TLD's located in the Indian ocean? I mean I/O amirite?!?!?!
Had a misbehaving page because of this.
An email notification would have been nice Github.
this was a long time coming; excellent move
is the css not loading for anyone else?
http://i7.minus.com/jIB4Ck8nD7cOH.png
GitHub has been having DNS issues today. Maybe they screwed something up when enabling github.io?
or , do like heroku : something like github-pages.com or github-space.com , mygithub.com , etc ... github.io / github.com still a bit confusing...
I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.