New GitHub Pages domain: github.io

13 years ago (github.com)

Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:

http://homakov.blogspot.com/2013/03/hacking-github-with-webk...

  • I think he deserves being mentioned in the github's post.

    • Heh, at least he didn't get his account banned prematurely.

      It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.

      1 reply →

Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).

If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.

  • github is business after all — i think they just forgot about me/my post. also they told me previously moving to a new domain is an old idea.

    • " i think they just forgot about me/my post"

      If you found an exploit and sold it to someone, you would be richer and they wouldn't forget you :)

Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.

I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.

  • There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.

    Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).

  • We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).

    We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.

  • I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.

    The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.

  • Hardly anyone uses .info but I much prefer it vs. going to any country tld.

    • I think that no one uses because it sounds spammy. Maybe because spammers rushed to buy a lot of .info domains and stuff with trash content.

This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.

When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?

EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.

Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.

  • The same security issues shouldn't occur on gist.github.com as you can't actually run any code there.

Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.

Excellent move on GitHub's part here.

  • i won't work in popular browsers. subdomain is another origin and passwords cannot be stolen

"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"

i.e., Phishers, no need to change your email templates!

"As a general rule, it's not possible to securely allow arbitrary user-provided content on a subdomain."

This rule is also good to keep in mind when choosing a domain for non-production environments!

I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.

Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.

I like saas companies so much more than traditional ones largely because they offer support effectively. Test case: Try to find the number to call to replace your bluetooth headset.

This is in turn nice for people using .io domains, the weight of Github's many blogs and official project pages will lend trust to the TLD.

  • I'm not sure that I understand this statement, could you elaborate?

    I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)

    • Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.

Remember to migrate the threads if you are using Disqus (Admin -> Tools -> Migrate Threads -> Start Crawler).

This change just reset all the Tweets and G+ count for my project to 0. Is there a way to claim those back?

What's next aside from trendy hipster TLD's located in the Indian ocean? I mean I/O amirite?!?!?!

Had a misbehaving page because of this.

An email notification would have been nice Github.

or , do like heroku : something like github-pages.com or github-space.com , mygithub.com , etc ... github.io / github.com still a bit confusing...

  • I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.