
Please petition GitHub to support HTTPS on GitHub pages - cayblood
https://gist.github.com/coolaj86/e07d42f5961c68fc1fc8
======
elmin
This is a little weird to me, because it's so easy to host your site a
multitude of different ways. The notable thing about GH is its free, which
makes complaining about it not having the one feature you want so odd. If you
want that feature, pay the buck or two it will cost to host your site on
CloudFront with something like Stout [1].

1: [http://stout.is](http://stout.is)

~~~
jakobegger
Github provides an all in-one hosting solution for Open Source projects. You
can host code, bug tracker, binaries, and the project website all on Github. I
use it to host [http://postgresapp.com](http://postgresapp.com), for example.
It's extremely convenient.

But there is one big gaping security hole: If your project page is served over
plain HTTP, and people click on the download link, they are vulnerable to a
man-in-the-middle attack. An attacker could change the link to point to a
malicious binary instead.

The only way to prevent this is to make sure that your customers don't access
your website over HTTP. And this is why HTTPS support for Github pages is
important.

~~~
nightcracker
Can't a MITM change the DNS for "postgresapp.com" to one of their servers,
regardless of HTTPS?

~~~
jakobegger
No. If the client connects via HTTPS, it will only connect to a server that
presents a valid cert.

------
leighmcculloch
You can use CloudFlare with a custom domain in front of Github Pages. It
works. I do this for
[https://github.com/leighmcculloch/5tweets.com](https://github.com/leighmcculloch/5tweets.com)
which you can see SSL'd at [https://5tweets.com](https://5tweets.com).

~~~
logical42
Yeah but someone can still get between cloudflare and github pages since the
traffic between the two end points would still be unencrypted and thus open to
MITM..

~~~
samwillis
Actually GitHub have ssl on their username.github.io domain so you can have
full ssl from cloudflair back to GitHub.

~~~
sneak
Which unfortunately doesn't work with CloudFlare on a different domain because
it sends the custom domain Host header.

~~~
prdonahue
You can use a Page Rule to override this host header with whatever you like:
[https://support.cloudflare.com/hc/en-
us/articles/206652947-U...](https://support.cloudflare.com/hc/en-
us/articles/206652947-Using-Page-Rules-to-Re-Write-Host-Headers).

~~~
sneak
Enterprise plans only. I thought "do all of this for free" was implicit in the
request to GitHub.

------
diafygi
FYI, when Let's Encrypt goes public in a week, you'll be able to get free
certs without having to install anything by using
[https://gethttpsforfree.com](https://gethttpsforfree.com)

Fun fact, the website is just a reverse proxied github static page:
[https://diafygi.github.io/gethttpsforfree](https://diafygi.github.io/gethttpsforfree)

------
alfredxing
I'd love to see SSL support on custom domains as well, but I know there are a
couple of reasons why it hasn't happened already:

1\. GitHub Pages likely isn't a core focus for GitHub, however useful it may
be

2\. GitHub Pages is currently completely interface-less, relying only on an
automated build system running each site through Jekyll and deploying it. In
order to support custom certificates, they would need to build an interface
for certificate uploading/maintenance (and of course putting the certs & keys
into the repo, like the current CNAME system, won't work).

~~~
landr0id
> In order to support custom certificates, they would need to build an
> interface for certificate uploading/maintenance

With Let's Encrypt (mentioned in the issue) it could be 100% automated with
free certs.

~~~
lifthrasiir
If there are hundreds of thousands of these certificates, you will need a
custom ACME client anyway. It is not trivial even with a presence of SNI.

~~~
diafygi
Eh, ACME isn't that complex. I wrote a fully automated client in less than 200
lines of python.

[https://github.com/diafygi/acme-tiny](https://github.com/diafygi/acme-tiny)

~~~
lifthrasiir
An HTTP client that gives a simple automated response is easy to write. An
HTTP client that gives simple automated responses _to 10,000 connections every
second_ is not easy to write.

(Disclaimer: That said, I haven't seriously assessed the scalability of
typical ACME clients. I would appreciate any hard number for them.)

~~~
michaelt
The ACME client only has to run once every 90 days, to validate domain
ownership and retrieve an updated certificate. After that, the certificate can
be stored on and loaded from disk - the same way most of the files being
served are probably stored.

It's true there might be some added complexity, as the private keys will need
to be stored securely. And session resumption data, if you need to support
that. Doesn't seem like an insurmountable problem, though.

------
kevindeasis
+1

But are you guys seriously going to spam github/contact or support@github.com
?

Because if that was my inbox. I'd be pissed looking at thousands of emails
that contain the same body.

~~~
KNoureen
Makes it super easy to filter out and delete though...

------
joeyrideout
I agree with imbriaco's sentiment from the linked discussion - using a CDN or
some other host that supports SSL to host your static site is a good solution.
I recently migrated my GitHub pages site to Amazon S3 and Cloudfront. I had to
buy a cheap Comodo SSL certificate and upload it to AWS to get it working with
my custom domain, but the documentation[1] was good enough that it didn't take
me very long at all.

[1]
[http://docs.aws.amazon.com/AmazonCloudFront/latest/Developer...](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS)

------
detaro
What's missing in all that is that they are talking about HTTPS for custom
domains, _username_.github.io supports HTTPS already.

------
jstoiko
Maybe let people star a dedicated repo instead of sending an email to github.

------
bad_user
While GitHub has a free account, it gets quite expensive when you start
paying. And GitHub Pages is a complementary add-on and many of us stayed on
GitHub because of nice things like this. I do agree that it isn't their core
focus and that people could host their stuff somewhere else for cheap.

However there is something to be said about making encrypted connections the
standard. Chrome and Firefox will only support encrypted HTTP 2.0 connections.
So if GitHub Pages does not provide HTTPS for custom domains, then it won't
support HTTP 2.0. Adding HTTPS support is also the right thing to do given the
recent attacks on privacy.

Yes, GitHub Pages is a free add-on that isn't their competency, but in my
opinion they should either drop it completely, or support HTTPS. Because
otherwise they are keeping the web back due to their popularity.

------
alaaibrahim
Yeah, and please send me a free flying car while you are at it.

Obviously everybody would like that, but it's not as easy as it seams. As
github pages, technically are virtual domains, they share the same ip with
many other pages, if you want to support https, you need to serve either each
page on a different ip (not free), or they need a to configure multidomain
ssls (which everytime they need to add a new domain, that means they have to
reset the certificate for the other domains on the same ip), and I think there
is a limit on the number of domains that can share the same ip - citation
needed - . And all of this for free.

Want SSL on gh pages, setup a proxy infront of gh pages.

~~~
0x0
Or you can use a web server that supports SNI. You'd lose android 2.x and
ie@winxp clients though, but those will be lost anyways soon due to outdated
cipher suites and certificate hash algorithms

~~~
alaaibrahim
> configure multidomain ssls (which everytime they need to add a new domain,
> that means they have to reset the certificate for the other domains on the
> same ip),

Sorry should've called it SNI.

~~~
0x0
Multidomain certs are not the same thing as SNI.

~~~
alaaibrahim
Thank you, learned something new today.

------
aritraghosh007
Its quite a co-incidence that I scouted for an answer for this today while I
was setting up SSL for my gh-pages. As already pointed out by some comments,
its not quite as simple as we think it is to have GitHub extend SSL for its
pages. Its for the same reason that Tumblr doesn't allow SSL support for
custom domain either. IMHO, CloudFlare is probably the simplest workaround to
get SSL enabled for your gh-pages. Link on how to
[https://me.net.nz/blog/github-pages-secure-with-
cloudflare/](https://me.net.nz/blog/github-pages-secure-with-cloudflare/)

------
SamReidHughes
What's missing is, why? It's a static site, so you won't get any real privacy
about what you're reading. If you have binaries to distribute, you have other
features for releasing them that let you use TLS.

~~~
sdrinf
Script injection (see Comcast a few weeks ago), page manipulation (eg.
pointing at download links with malicious side-load), keyword-based filtering
(HTTP inspection). If you're using non-default DNS servers, you also get
privacy on _which site_ you're reading: all HTTP request headers also get TLS
protection, which includes hostname, path, etc. And while outside of Tor,
there's no protection for the IP address (so third parties can know you're
reading a page on github), "a site hosted on github" encompasses a wide
variety of content.

~~~
SamReidHughes
> "a site hosted on github" encompasses a wide variety of content.

That doesn't help, you can easily fingerprint a page from secondary requests
or incoming/outgoing links.

------
fibo
I also have my personal website on GH pages + Cloudflare. If it is for a
static web site I think it is ok, and thanks to both companies that gives us
this service for free.

If you pretend more you can pay and use AWS or some other service.

------
stephentmcm
Of note guys there's a little ! icon button in the top of the page to report
this gist. It's basically encouraging spam and as everyone has pointed out, is
likely not technically sound.

------
kentbrew
Worth noting: https works on yourname.neocities.org.

~~~
detaro
just likes it does on _yourname_.github.io. (Since that just requires a
wildcard cert)

------
Sir_Cmpwn
I add SSL through a proxy to GitHub pages.

------
zackify
Been wanting built in ssl forever.

------
jakobegger
Isn't Github Pages hosted on S3? That would explain the lack of TLS on custom
domains.

Anyway, this is a very major security flaw. Lots of software uses Github pages
for the project website. If you put a download link on an unsecure page, you
are putting all your customers st risk.

~~~
manigandham
Githug Pages is their own infrastructure for hosting files and static sites:
[http://githubengineering.com/rearchitecting-github-
pages/](http://githubengineering.com/rearchitecting-github-pages/)

Also the download files themselves can be hosted on Github repos as releases
which supports TLS.

~~~
jakobegger
Hosting the downloads themselves via HTTPS is completely useless if the link
to that file is transferred over HTTP.

~~~
manigandham
Link to the repo/releases page...

~~~
jakobegger
Jesus Christ, you really don't understand, do you?

If the original website is insecure, everything could be faked, including the
link to the releases page.

If HN readers don't understand this, who does?

