I was actually not aware of this but we got word a few days ago that one of the
@dotHIV domains was subject to an attack because I
configured the wildcard subdomain to point to GitHub. This allowed the attacker
to host their content on a subdomain. It's by design. Here is why:
3 replies
Replying to @coderbyheart
GitHub allows anyone to configure the domain name used for GitHub pages, and
there is no validation of ownership.
If a wildcard subdomain then points to the GitHub webservers it will be served
by GitHub since they cannot establish a connection between a user/org and a
domain.
Replying to @coderbyheart
That's why there should only be explicit subdomains (e.g. www) pointing to
http://USERNAME.github.io
I used a wildcard out of a habit, if you own the machine serving the website
that's usually fine and makes things easy.
I now know better.
Replying to @coderbyheart