Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
Egor's posts have also helped GitHub improve their security, to the extent that they're willing to listen.
I told a couple of people at GitHub that they should add a way to select which email addresses can be used for password reset. Both agreed it was a good idea, but there hasn't been any action.
If you want commits to be linked to your GitHub account, you have to add the email to your account settings page. If you add the email to your account settings page, it can be used to reset the password and gain access to the account.
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).
If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
That's sort of the opposite scale to what the (greyhat) security community would expect, though. Try tacking an HTML5 scroller (with an original SID composition) onto the end of the announcement, crediting the researcher. ;)
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.
I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
There's very little reason for .io to be used as designated: .io is the TLD for the British Indian Ocean Territory which has been depopulated since the 60s and 70s. It now consists of a nature preserve and a joint British-American naval base.
Now, there is an issue with the Chagossians being forcibly removed from the islands, but should they ever resettle and gain sovereignty, it seems unlikely they'll continue to call themselves the British Indian Ocean Territory, necessitating a TLD change anyway (a la .su, .tp, and .an).
We own a lot of TLD's for GitHub, but we just settled on this one for no real reason other than it sounded nice (i.e., not because it's hip).
We also considered http://github.me and a few others, but thought this one worked well and was short without sounding like we were trying to make a mid-90's Personal Home Page Product™.
For the past year or 2 I've been seeing more and more of them. However, I don't have any bookmarked, at least not yet. I found a pretty good time-waster[3] where I may end up with some. I found one here on HN[2] too....might be more. Also found a relevant question on a StackExchange[3] site.
I can't comment about github.io, but to address your larger concern, this is in part due to the vast amount of cybersquatting. It's now very difficult to get meaningful domain names in the top TLDs, so companies and projects are being pushed to other TLDs. It's easier for techs to move to non-mainstream TLDs than for consumer-oriented companies, b/c we're comfortable with using them, whereas the average consumer will be confused or hesitant to click.
The trend will eventually be that, except for established historical domains (.co.uk, and a few dozen more), most TLDs won't signinfy anything. That's already happened with .ly, and is happening now with .io and .co.
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
Probably needs some adjustment or moderator intervention in the near term. I just tried a moment ago; you can still submit a pages.github.com URL and HN will mark the domain as github.com, but it will redirect to github.io when you follow the link.
Indeed, it's not like there are an endless number of common subdomains which don't convey much information. "www" is one, "blog" is another. That's about it.
The problem wasn't anticipated, and the fix has been to enable showing subdomains on only on certain domains, mainly blog hosts like wordpress, blogspot, tumblr.
When I go to http://pages.github.com/, I see absolutely no way to make a Github Page. How do you set one up?
EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me there, similar to how easy it is to publish to https://gist.github.com/.
You create a repo named username.github.io (eg., pkamb.github.io). Put static files in it, and they will become available automatically. More information here: https://help.github.com/categories/20/articles
Doesn't it seem kind of crazy that you have to sort through an FAQ to get started? Why isn't there a big call to action button that says "Create a Page"?
Project pages should come from a project repo. Why would you expect to go to a page and expect to be able to create from there? Do you have a repo / project on Github? Then you would have figured it out on your own.
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: http://nightworld.github.com/odlnorth just 404's
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"
i.e., Phishers, no need to change your email templates!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.
Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
I like saas companies so much more than traditional ones largely because they offer support effectively.
Test case: Try to find the number to call to replace your bluetooth headset.
I'm not sure that I understand this statement, could you elaborate?
I would expect that the people who need to trust a TLD (consumers, I would presume) are not the same people who even know what GitHub is (developers, mostly, I would presume.)
Maybe he means search engine trust; PageRank. It’s plausible that Google factors in, when calculating the PageRank of a site, the TLD of the site and the proportion of bad/spammy sites that use that TLD.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
I presume they valued the terseness of the domain over the brand potential of 'Pages'. I do agree that there is confusion though. You can't possibly know the difference between github.io and github.com until you're actually told.
http://homakov.blogspot.com/2013/03/hacking-github-with-webk...