Rendered at 20:04:02 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
Gigachad 12 hours ago [-]
Seems like GitHub could solve this by making users verify they own a domain name by adding a value to a txt record rather than just seeing the domain points to github and letting any repo use it.
Thank you; just did that for my domain I use with GH Pages. They should really mention that in the setup instructions.
rockbruno 11 hours ago [-]
You can do it, iirc they even stress doing so in the docs for GitHub Pages if you don't want your domain to be stolen
darkteflon 11 hours ago [-]
I’ve set up two static pages with custom domains using GH Pages in the past couple of months, and both times I had to go digging in the docs before I found the verification page as part of trying to figure out why https wasn’t working. Fucking inexplicably poor UX design from GH. If I add a custom domain, just ask me to verify it.
stellamariesays 6 hours ago [-]
[dead]
usagisushi 10 hours ago [-]
Practically, it's not limited to GitHub Pages, though.
By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:
Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)
ardeaver 9 hours ago [-]
Something similar once happened to me with an old domain with nameservers I had pointed to DigitalOcean from my registrar.
Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.
Why is it always slot machines though?
est 11 hours ago [-]
Your DNS config 5-7 rows are the culprit.
Don't point a wildcard domain to Github. It's a wildcard and dangerous.
rmeertens 11 hours ago [-]
Yep! Fixed it already!
tamimio 11 hours ago [-]
>how long it’s been abused?
I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
CodesInChaos 10 hours ago [-]
Why is securely setting up custom domains for github pages so error prone? The `<user>.github.io` CNAME record already contains the username. So why can another user steal it?
edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
halapro 11 hours ago [-]
You told your NS to forward any request to GitHub, a platform you don't own.
I think this is the expected outcome.
It's good you noticed and shared your findings, but to me this "works as intended"
tomhow 11 hours ago [-]
Please don’t scold people on HN. That’s not the style of discussion we’re trying for here.
I'm not scolding, I'm explaining what happened. The post uses the word "abuse" for something that was the expected outcome.
It's like saying "my motorbike was stolen" when you let the key in the ignition for a day in the favelas. What did you expect exactly?
tomhow 3 hours ago [-]
There's a pattern in your comments of being snarky. Explaining what happened is fine, but on HN we're trying for curious conversation, and we clearly ask for kindness and to avoid swipes and other kinds of negativity towards other commenters.
It may be that the words you're writing don't seem so snarky when they're just being formulated in your mind; that's a common pitfall with online discussion forums. Please try to more thoughtful about how your words come across.
rmeertens 11 hours ago [-]
I wrote it down and posted it for others to learn, and to see if Github can make it harder for scammers to abuse the mistakes of others!
iqfareez 11 hours ago [-]
[dead]
pigbearpig 11 hours ago [-]
You wildcarded any traffic to github.com and thought, "eh, they probably check" and are wondering who is at fault? It's you.
You didn't think through the consequences, and you could learn a bit more about DNS.
rmeertens 11 hours ago [-]
> are wondering who is at fault? It's you
I know, that's why I wrote it down.
I did not expect that Github facilitates other accounts creating scam pages under the domain I own...
By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:
Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.
Why is it always slot machines though?
Don't point a wildcard domain to Github. It's a wildcard and dangerous.
I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
I think this is the expected outcome.
It's good you noticed and shared your findings, but to me this "works as intended"
https://news.ycombinator.com/newsguidelines.html
It's like saying "my motorbike was stolen" when you let the key in the ignition for a day in the favelas. What did you expect exactly?
It may be that the words you're writing don't seem so snarky when they're just being formulated in your mind; that's a common pitfall with online discussion forums. Please try to more thoughtful about how your words come across.
You didn't think through the consequences, and you could learn a bit more about DNS.
I did not expect that Github facilitates other accounts creating scam pages under the domain I own...