Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on April 7, 2013

GitHub moves its hosted developer Pages to a github.io domain over security concerns


GitHub moves its hosted developer Pages to a github.io domain over security concerns

GitHub, a popular software development service, announced on Friday that it migrated all developer Pages hosted on its servers to a new domain because of security concerns it had regarding malicious websites.

In essence, the company felt that users who came to github.com would feel that Pages hosted on there were automatically secure since it was under the GitHub domain — this wasn’t necessarily true. To separate itself from any issues, GitHub has migrated Pages to github.io.

While it has 3 million users, GitHub is perhaps visited daily by many more. Its GitHub Pages offering was created to offer developers a resource so that they could create webpages for their projects in a manner that would be appealing to potential users, companies, and maybe even investors. The company not only offered developers free hosting, but also a page generator with specific themes.

Trust GitHub, but don’t put 100% trust in Pages

According to GitHub’s Ryan Tomayko, this migration was a security measure aimed at “removing potential vectors for cross domain attacks targeting the main github.com session as well as vectors for phishing attacks relying on the presence of the “github.com” domain to build a false sense of trust in malicious websites.”

Translated simply as: because you visited a GitHub.com page, you assumed that everything was secure, when it wasn’t necessarily 100 percent of the time, so to avoid any confusion, all Pages are on a .io domain while the GitHub you trust is still at its .com domain.

Browser and phishing attacks

Tomayko says that this change was brought about because of two broad categories of vulnerabilities. The first one centered around session fixation and CSRF vulnerabilities from a browser security issue called “Related Domain Cookies”. Through this, an attacker could create a piece of code that could deny access to GitHub.com.

Additionally, GitHub is worried about phishing attacks that it says rely on the fact that there’s a github.com domain to create a “false sense of trust in malicious websites.” It cites an example in which an attacker could set up a Page site at account-security.github.com and ask users to input passwords, billing information, or anything else confidential.

But even with these concerns, GitHub says that it does not have any evidence of any account being compromised as a result of either vulnerability.

Precedent of malicious intent

This change definitely is needed, especially following its most recent battle with online criminals who pushed randomware hosted on GitHub’s Pages last February. In that episode, malware was served through GitHub Pages that infected computers using the Stamp EK exploit kit. As we reported back then, using legitimate websites for hosting malware reduces the chance that victims will become suspicious.

What GitHub did

For those developers who have a GitHub Page (with a domain username.github.com), it has automatically been redirected to the new location (username.github.io) and the company says no links will need to be changed. If a custom domain has been set of for a Page, then you need not worry as this change does not affect you.

If you’re interested in the technical details, GitHub has provided some more tidbits of information:

  • All User, Organization, and Project Pages not configured with a custom domain are now hosted on github.io instead of github.com. For instance,username.github.com is now served canonically from username.github.io.
  • An HTTP 301 Moved Permanently redirect has been added for all *.github.comsites to their new *.github.io locations.
  • Pages sites configured with a custom domain are not affected.
  • The Pages IP address has not changed. Existing A records pointing to the Pages IP are not affected.

So if you see a GitHub.com web address now, it’s most likely going to be comprised of content produced by the company instead of from a third-party developer. If you need to see Pages, there’s the .io domain, but while the Pages have been migrated, there is no added guarantee that they are safe and without any malicious intent.

Photo credit: Sean Gallup/Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with