Very weird of them to not use github.com but instead use the domain they otherwise use for non-github/user content. Phishy indeed, and then people/companies go ahead and blame users for not taking care/checking, yet banks and more continuously deploy stuff in a way to train users to disregard those things.
Why is it phishy? Github.io has been the domain they use for all GH pages for a long time with subdomains mapping to GH usernames. It’s standard practice to separate user generated content from the main domain so that it doesn’t poison SEO.
First of all, any subdomain system domain is already a bit phishy because you need to somehow parse whether github.io is officially part of github.com and not say something like git-hub.xyz by a phisher or whatever new TLD there. These things are used by sysadmin/project pairs that can't budget 1$/month for a domain name, so it's 100% a security/price tradeoff.
Second of all, the actual domain host is publishing as one of these untrusted users on their alternate subdomain, so it could be a phisher using a subdomain of the official alternate domain with malicious material
Thirdly, even if it is all legit, it is still a problem, because it weakens security posture, it trains users to ignore domain names.
I understand if it appears subtle, but I wish that we lived in a world where whoever is responsible for this gets put on a PIP
I get your general objections, but not in this specific case. Github has been using Github.io for pages since 2013 and it's been the de facto developer platform at least as long (and all other developer tools follow the same pattern when publishing user generated content). Unless GH has a massive vulnerability that hasn't been discovered yet, no one is publishing to *.github.github.io except for the official Github organization. That has been more stable than Linux syscalls and Windows GUI frameworks.
Would it really make a difference if they just added a CNAME from foobar.github.com to point at github.github.io?
Would it really make a difference if they just added a CNAME from foobar.github.com to point at github.github.io?
Yes, that would help, but it's not very discoverable.
I think a certificate mechanism would be much more appropriate for that.
The SSL certificate should be emitted for github.com and github.io
Of course since github.io is rented out, it doesn't make sense. But if you ever have an alias, that's the way to do it, if I get a link to getproduct.com and it gets redirected to product.com I can check the cert and see that it was issued for both domains.
I see a lot of people confused, and it is confusing. Here's my best take at clarifying the issue for you:
It's as if Google sent you an official email from an @gmail address.
Like "gmail-invoices@gmail.com"
Surely it would look suspicious, and if it turns out it is official, it doesn't somehow mean there's no issue, if anything it's worse because it untrains users' security protocols.
Personally I'd ignore anything that comes out of one of these domains, even if it turns out an actual employee pushed it, if you can't publish something on the main domain, you don't have enough authority to speak for the company, may be skunkworking to avoid an internal protocl, I don't know, I don't care, it's not official, don't need to read it.
I don't think this is the same thing though, in their documentation the subdomain has to be for the owner or organization, so if it's `github.github.io` then it belongs to the `github` organization [1]
Though I guess I do get your point, meaning that this leads to people trusting the domain name if they are uneducated about how GitHub Pages works.
