

New GitHub Pages domain: github.io - xPaw
https://github.com/blog/1452-new-github-pages-domain-github-io

======
molecule
Egor Homakov's write up of the session fixation and CSRF vulnerabilities that
this addresses:

[http://homakov.blogspot.com/2013/03/hacking-github-with-
webk...](http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html)

~~~
alcuadrado
I think he deserves being mentioned in the github's post.

~~~
danso
Heh, at least he didn't get his account banned prematurely.

It's already been said, but as much headaches as Egor's proof-of-concepts gave
headaches to Github's staff, they've _really_ helped educate the general dev
public (well, me at least) about security-mindedness. Github's security
explanatory notes in the OP are helpful, but Egor's demo really made the
issues memorable.

~~~
benatkin
Egor's posts have also helped GitHub improve their security, to the extent
that they're willing to listen.

I told a couple of people at GitHub that they should add a way to select which
email addresses can be used for password reset. Both agreed it was a good
idea, but there hasn't been any action.

If you want commits to be linked to your GitHub account, you have to add the
email to your account settings page. If you add the email to your account
settings page, it can be used to reset the password and gain access to the
account.

Also people keep begging for Two-Factor auth, and I'll echo that.
<https://twitter.com/kaepora/status/307938914667220992>

------
nikcub
Poor form not crediting Homakov, GitHub. Credit means a lot to security
researchers (that is all a lot of us are working for).

If you aren't even giving simple credit, you are asking to be compromised the
next time an issue is found. GitHub is large enough and prominent enough where
it should have an entire bounty program, let alone giving a blogger a link.

~~~
homakov
github is business after all — i think they just forgot about me/my post. also
they told me previously moving to a new domain is an old idea.

~~~
niggler
" i think they just forgot about me/my post"

If you found an exploit and sold it to someone, you would be richer and they
wouldn't forget you :)

------
k3n
Not sure yet how I feel about the .io bandwagon that seems to be going around;
I think I mainly don't like taking a TLD that is specifically designated for a
country and attempting to attach a different meaning to it. I just don't know
if my pedantry is justified... Yes, I know it's been happening forever, but
that doesn't make it right.

I do like the delineation between official Github content and user-content,
but there definitely other ways to go about the problem without buying into
the latest TLD fad.

~~~
jeremymcanally
We own a lot of TLD's for GitHub, but we just settled on this one for no real
reason other than it sounded nice (i.e., not because it's hip).

We also considered <http://github.me> and a few others, but thought this one
worked well and was short without sounding like we were trying to make a
mid-90's Personal Home Page Product™.

~~~
treitnauer
Interesting that .me is already considered as being old-fashioned. It only
launched a few years ago... :)

Now if we could only get Google to see .io as a "generic" TLD:
[https://iwantmyname.com/blog/2012/08/dear-google-please-
add-...](https://iwantmyname.com/blog/2012/08/dear-google-please-add-io-to-
the-list-of-generic-domains-in-webmaster-tools.html)

~~~
CamperBob2
Agreed, this seems like a weird shortcoming on their part. Not clear how best
to get the message to Google, though.

~~~
treitnauer
Google heard the message but apparently their data suggests otherwise:
[http://www.youtube.com/watch?feature=player_embedded&v=Q...](http://www.youtube.com/watch?feature=player_embedded&v=QCozweHGTk0)
– which is really hard to believe in regards to .io domains.

~~~
CamperBob2
Yeah, that's goofy. Nothing that Matt Cutts is saying in that video makes any
sense at all with respect to .io.

------
balac
This is certainly good news for HN, more than a few times I have been misled
into thinking a pages.github.com submission was an official github
announcement.

~~~
CoreDumpling
Probably needs some adjustment or moderator intervention in the near term. I
just tried a moment ago; you can still submit a pages.github.com URL and HN
will mark the domain as github.com, but it will redirect to github.io when you
follow the link.

~~~
psychometry
I really fail to see why HN doesn't display the subdomain in the submission.
Is there a reason for this?

~~~
jedberg
Because oftentimes the subdomain is irrelevant and would just make the display
cluttered. More often than not the domain would be www.

We did the same thing on reddit for the same reason. A few domains get their
subdomain when they are popular enough for people to complain.

~~~
ceejayoz
No reason www. couldn't be stripped off.

~~~
duggan
Indeed, it's not like there are an endless number of common subdomains which
don't convey much information. "www" is one, "blog" is another. That's about
it.

------
pkamb
When I go to <http://pages.github.com/>, I see absolutely no way to _make_ a
Github Page. How do you set one up?

EDIT: I know I could probably find the info in an FAQ, if I needed to. My
point is that the images on that page seem to show a nice wysiwyg online
editor for creating and publishing pages. I'm looking for a big call to action
button that takes me _there_ , similar to how easy it is to publish to
<https://gist.github.com/>.

~~~
Lockyy
<https://help.github.com/categories/20/articles>

~~~
pkamb
Doesn't it seem kind of crazy that you have to sort through an FAQ to get
started? Why isn't there a big call to action button that says "Create a
Page"?

~~~
CamperBob2
Because that just results in the creation, and subsequent abandonment, of a
lot of junk pages?

~~~
kisielk
As opposed to the "New repository" button on the github.com front page...

------
ibrahima
Great all around, I hate all the links that show up here as from github.com
when they're actually from username.github.com, or even gist.github.com.
Though I guess this doesn't say anything about gists, maybe they should move
those to their own domain too. Although I really think HN should show the
first level subdomain of a domain if one exists.

~~~
balac
The same security issues shouldn't occur on gist.github.com as you can't
actually run any code there.

------
thomseddon
It's a real pain that "project pages", i.e. serving the gh-pages branch from
username.github.com/project aren't being redirected, for example:
<http://nightworld.github.com/odlnorth> just 404's

Is this an oversight or am I missing something?

~~~
holman
That's a bug; we're looking into it. Thanks!

------
blake8086
From what I understand, this is the same reason Google uses
googleusercontent.com

~~~
fyi80
But Google's domain name isn't misleading. github.io still gives the
impression of github-backed content.

~~~
kzrdude
well you know github is a.. hub.. of user content in git repositories.

------
wereHamster
Will github pages finally support SSL?

------
ZoFreX
Security vulnerability 3: Websites could sniff passwords of users with
password-saving browser extensions. If the extension autofills the username
and password (and some do out of the box), then a bit of javascript on a
GitHub Pages site could have stolen those users' Github passwords.

Excellent move on GitHub's part here.

~~~
homakov
i won't work in popular browsers. subdomain is another origin and passwords
cannot be stolen

------
thomaslutz
Is that why <http://litecoin.org/> is down?

~~~
Groxx

      <frameset rows="100%,*" border="0">
        <frame src="http://coblee.github.com/litecoin/" frameborder="0" />
        <frame frameborder="0" noresize />
      </frameset>
    

Looks like it, yeah. You can just go to <http://coblee.github.io/litecoin> in
the meantime though.

~~~
thomaslutz
Thanks, they same to have fixed it in the meantime.

------
logn
"If your Pages site was previously served from a username.github.com domain,
all traffic will be redirected to the new username.github.io location
indefinitely"

i.e., Phishers, no need to change your email templates!

------
jbox
"As a general rule, it's not possible to securely allow arbitrary user-
provided content on a subdomain."

This rule is also good to keep in mind when choosing a domain for non-
production environments!

------
timedoctor
I think .io is a much better choice than .co, because .co is easily confused
with .com. .io is so completely different that it is less easily confused with
.com.

Note that overstock totally rebranded their domain to o.co and found that a
very large percentage of visitors were typing in o.com instead of o.co and
they were losing a very significant amount of traffic.

------
evmar
The docs for user pages appear to have been auto-rewritten to name the
repository with a .io suffix, but the cited URL doesn't seem to work.

See [https://help.github.com/articles/user-organization-and-
proje...](https://help.github.com/articles/user-organization-and-project-
pages) , click the defunkt demo link.

~~~
gjtorikian
Fixed. Thanks for pointing it out, I thought I got them all.

------
downrightmike
I like saas companies so much more than traditional ones largely because they
offer support effectively. Test case: Try to find the number to call to
replace your bluetooth headset.

------
goldfeld
This is in turn nice for people using .io domains, the weight of Github's many
blogs and official project pages will lend trust to the TLD.

~~~
ethomson
I'm not sure that I understand this statement, could you elaborate?

I would expect that the people who need to trust a TLD (consumers, I would
presume) are not the same people who even know what GitHub is (developers,
mostly, I would presume.)

~~~
roryokane
Maybe he means search engine trust; PageRank. It’s plausible that Google
factors in, when calculating the PageRank of a site, the TLD of the site and
the proportion of bad/spammy sites that use that TLD.

------
enrmarc
Remember to migrate the threads if you are using Disqus (Admin -> Tools ->
Migrate Threads -> Start Crawler).

------
wyuenho
This change just reset all the Tweets and G+ count for my project to 0. Is
there a way to claim those back?

------
hcarvalhoalves
No one thought about pages.github.com?

~~~
steveklabnik
That does not solve the security issues that they're looking to mitigate.

~~~
hcarvalhoalves
I see. I thought they could limit the cookies to the github.com root, but they
already have stuff like gist.github.com.

~~~
Groxx
Which doesn't run arbitrary JS code, unlike the username.github.com pages,
which means gist.github.com is incapable of setting such cookies.

Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't
tried particularly hard.

~~~
LukeShu
He means that if they set cookies to only apply to the root, then you will
have to log in to gist.github.com and github.com separately. Taking access
away from the un-trusted code also means taking it away from some trusted
code.

~~~
Groxx
Aaah, d'oh. Makes sense in retrospect :) thanks!

------
modarts
What's next aside from trendy hipster TLD's located in the Indian ocean? I
mean I/O amirite?!?!?!

------
woli
Had a misbehaving page because of this.

An email notification would have been nice Github.

------
r4vik
this was a long time coming; excellent move

------
lingben
is the css not loading for anyone else?

<http://i7.minus.com/jIB4Ck8nD7cOH.png>

~~~
jlogsdon
GitHub has been having DNS issues today. Maybe they screwed something up when
enabling github.io?

------
camus
or , do like heroku : something like github-pages.com or github-space.com ,
mygithub.com , etc ... github.io / github.com still a bit confusing...

~~~
FuzzyDunlop
I presume they valued the terseness of the domain over the brand potential of
'Pages'. I do agree that there is confusion though. You can't possibly know
the difference between github.io and github.com until you're actually told.

