Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
Egor's posts have also helped GitHub improve their security, to the extent that they're willing to listen.
I told a couple of people at GitHub that they should add a way to select which email addresses can be used for password reset. Both agreed it was a good idea, but there hasn't been any action.
If you want commits to be linked to your GitHub account, you have to add the email to your account settings page. If you add the email to your account settings page, it can be used to reset the password and gain access to the account.
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).
If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
That's sort of the opposite scale to what the (greyhat) security community would expect, though. Try tacking an HTML5 scroller (with an original SID composition) onto the end of the announcement, crediting the researcher. ;)
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.
I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).
We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.
For the past year or 2 I've been seeing more and more of them. However, I don't have any bookmarked, at least not yet. I found a pretty good time-waster[3] where I may end up with some. I found one here on HN[2] too....might be more. Also found a relevant question on a StackExchange[3] site.
There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.
Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).
I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.
The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
Probably needs some adjustment or moderator intervention in the near term. I just tried a moment ago; you can still submit a pages.github.com URL and HN will mark the domain as github.com, but it will redirect to github.io when you follow the link.
The problem wasn't anticipated, and the fix has been to enable showing subdomains on only on certain domains, mainly blog hosts like wordpress, blogspot, tumblr.
Indeed, it's not like there are an endless number of common subdomains which don't convey much information. "www" is one, "blog" is another. That's about it.
When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?
EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.
You create a repo named username.github.io (eg., pkamb.github.io). Put static files in it, and they will become available automatically. More information here: https://help.github.com/categories/20/articles
Doesn't it seem kind of crazy that you have to sort through an FAQ to get started? Why isn't there a big call to action button that says "Create a Page"?
Project pages should come from a project repo. Why would you expect to go to a page and expect to be able to create from there? Do you have a repo / project on Github? Then you would have figured it out on your own.
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: http://nightworld.github.com/odlnorth just 404's
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"
i.e., Phishers, no need to change your email templates!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.
Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
I like saas companies so much more than traditional ones largely because they offer support effectively.
Test case: Try to find the number to call to replace your bluetooth headset.
I'm not sure that I understand this statement, could you elaborate?
I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)
Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.
Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:
http://homakov.blogspot.com/2013/03/hacking-github-with-webk...
I think he deserves being mentioned in the github's post.
Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
Egor's posts have also helped GitHub improve their security, to the extent that they're willing to listen.
I told a couple of people at GitHub that they should add a way to select which email addresses can be used for password reset. Both agreed it was a good idea, but there hasn't been any action.
If you want commits to be linked to your GitHub account, you have to add the email to your account settings page. If you add the email to your account settings page, it can be used to reset the password and gain access to the account.
Also people keep begging for Two-Factor auth, and I'll echo that. https://twitter.com/kaepora/status/307938914667220992
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).
If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
github is business after all — i think they just forgot about me/my post. also they told me previously moving to a new domain is an old idea.
" i think they just forgot about me/my post"
If you found an exploit and sold it to someone, you would be richer and they wouldn't forget you :)
We've got a list of security researchers who have disclosed vulnerabilities to us responsibly (including Homakov) on our help site: https://help.github.com/articles/responsible-disclosure-of-s...
That's sort of the opposite scale to what the (greyhat) security community would expect, though. Try tacking an HTML5 scroller (with an original SID composition) onto the end of the announcement, crediting the researcher. ;)
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.
I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).
We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.
FWIW, I have git.to if you're interested in taking it.
Awesome, GitHub can make their own URL shortening service and replace all links in every README/Issue/Pull Request with short urls!
They already have http://git.io
URL shortener for rednecks?
You guys should file to have a 'hub' TLD added, then you'd have the ultimate domain - git.hub
That doesn't look aesthetically pleasing to me..
Then you might as well buy the .github TLD and give everyone their own yourpagename.github url.
Interesting that .me is already considered as being old-fashioned. It only launched a few years ago... :)
Now if we could only get Google to see .io as a "generic" TLD: https://iwantmyname.com/blog/2012/08/dear-google-please-add-...
Agreed, this seems like a weird shortcoming on their part. Not clear how best to get the message to Google, though.
Google heard the message but apparently their data suggests otherwise: http://www.youtube.com/watch?feature=player_embedded&v=Q... – which is really hard to believe in regards to .io domains.
Yeah, that's goofy. Nothing that Matt Cutts is saying in that video makes any sense at all with respect to .io.
Interesting, I wasn't aware of this.
I have to admit, .io is probably one of the best geeky TLD's out there, so I can't fault you really. It just seems kind of trendy is all.
> without sounding like we were trying to make a mid-90's Personal Home Page Product™
That's not a dig on PHP is it? :)
I like that the pricing keeps out a lot of the squatting riff-raff you see in com/net/org/info etc... I like .info too, but it's been abused.
It's also easier to find a relatively short/applicable tld.
It's strange that I've never heard of .io until github.io. What else am I missing out on? :(
http://crashlog.io a real time exception handler for one.
For the past year or 2 I've been seeing more and more of them. However, I don't have any bookmarked, at least not yet. I found a pretty good time-waster[3] where I may end up with some. I found one here on HN[2] too....might be more. Also found a relevant question on a StackExchange[3] site.
1. http://domaintyper.com/top-websites/most-popular-websites-wi...
2. https://news.ycombinator.com/item?id=4920233
3. http://answers.onstartups.com/questions/18209/whats-with-sta...
Thanks!
There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.
Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).
Hardly anyone uses .info but I much prefer it vs. going to any country tld.
I think that no one uses because it sounds spammy. Maybe because spammers rushed to buy a lot of .info domains and stuff with trash content.
May I interest you in the .src project instead then? ;o) http://dot-src.info
I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.
The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.
Isn't the Columbian government intentionally doing this to .co?
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
Probably needs some adjustment or moderator intervention in the near term. I just tried a moment ago; you can still submit a pages.github.com URL and HN will mark the domain as github.com, but it will redirect to github.io when you follow the link.
I really fail to see why HN doesn't display the subdomain in the submission. Is there a reason for this?
The problem wasn't anticipated, and the fix has been to enable showing subdomains on only on certain domains, mainly blog hosts like wordpress, blogspot, tumblr.
Because oftentimes the subdomain is irrelevant and would just make the display cluttered. More often than not the domain would be www.
We did the same thing on reddit for the same reason. A few domains get their subdomain when they are popular enough for people to complain.
No reason www. couldn't be stripped off.
Indeed, it's not like there are an endless number of common subdomains which don't convey much information. "www" is one, "blog" is another. That's about it.
Misleading subdomains is one of the reasons I created my own Chrome extension for Hacker News, Autobahn.
You can download it at:
http://vlad.github.com/autobahn
Oh wait, I mean http://vlad.github.io/autobahn :)
Looks useful, will give it a try.
(I would remove the autoplay=1 on your video with music as it's pretty annoying when you open in a background tab)
When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?
EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.
You create a repo named username.github.io (eg., pkamb.github.io). Put static files in it, and they will become available automatically. More information here: https://help.github.com/categories/20/articles
https://help.github.com/categories/20/articles
Doesn't it seem kind of crazy that you have to sort through an FAQ to get started? Why isn't there a big call to action button that says "Create a Page"?
I agree. However this is pretty much it for how to do it.
It is quite easy to get started, jekyll is very simple.
Because that just results in the creation, and subsequent abandonment, of a lot of junk pages?
As opposed to the "New repository" button on the github.com front page...
Project pages should come from a project repo. Why would you expect to go to a page and expect to be able to create from there? Do you have a repo / project on Github? Then you would have figured it out on your own.
There's also an "automatic page generator" button if you go to your repository settings, where you can even pick from pre-designed themes :)
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
The same security issues shouldn't occur on gist.github.com as you can't actually run any code there.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: http://nightworld.github.com/odlnorth just 404's
Is this an oversight or am I missing something?
That's a bug; we're looking into it. Thanks!
From what I understand, this is the same reason Google uses googleusercontent.com
But Google's domain name isn't misleading. github.io still gives the impression of github-backed content.
well you know github is a.. hub.. of user content in git repositories.
Will github pages finally support SSL?
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.
Excellent move on GitHub's part here.
i won't work in popular browsers. subdomain is another origin and passwords cannot be stolen
Is that why http://litecoin.org/ is down?
Looks like it, yeah. You can just go to http://coblee.github.io/litecoin in the meantime though.
Thanks, they same to have fixed it in the meantime.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"
i.e., Phishers, no need to change your email templates!
"As a general rule, it's not possible to securely allow arbitrary user-provided content on a subdomain."
This rule is also good to keep in mind when choosing a domain for non-production environments!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.
Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
The docs for user pages appear to have been auto-rewritten to name the repository with a .io suffix, but the cited URL doesn't seem to work.
See https://help.github.com/articles/user-organization-and-proje... , click the defunkt demo link.
Fixed. Thanks for pointing it out, I thought I got them all.
I like saas companies so much more than traditional ones largely because they offer support effectively. Test case: Try to find the number to call to replace your bluetooth headset.
This is in turn nice for people using .io domains, the weight of Github's many blogs and official project pages will lend trust to the TLD.
I'm not sure that I understand this statement, could you elaborate?
I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)
Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.
Remember to migrate the threads if you are using Disqus (Admin -> Tools -> Migrate Threads -> Start Crawler).
This change just reset all the Tweets and G+ count for my project to 0. Is there a way to claim those back?
No one thought about pages.github.com?
That does not solve the security issues that they're looking to mitigate.
I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com.
Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.
Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
Aaah, d'oh. Makes sense in retrospect :) thanks!
What's next aside from trendy hipster TLD's located in the Indian ocean? I mean I/O amirite?!?!?!
Had a misbehaving page because of this.
An email notification would have been nice Github.
this was a long time coming; excellent move
is the css not loading for anyone else?
http://i7.minus.com/jIB4Ck8nD7cOH.png
GitHub has been having DNS issues today. Maybe they screwed something up when enabling github.io?
or , do like heroku : something like github-pages.com or github-space.com , mygithub.com , etc ... github.io / github.com still a bit confusing...
I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.