rgrove / rawgit

Served files from raw.githubusercontent.com, but with the correct content types. No longer actively developed.
https://rawgit.com
MIT License
2.39k stars 488 forks source link

Security concerns about raw.githubusercontent.com going away #197

Closed JLLeitschuh closed 5 years ago

JLLeitschuh commented 5 years ago

Hi, First off, I want to thank you for running this service for the past 5 years. I know it's gained a lot of popularity. A quick search of GitHub shows that there are ~4 million uses of your site in code across GitHub.

The domain name raw.githubusercontent.com is incredibly valuable to a malicious actor looking to be able to serve their own malicious content to any site that is using raw.githubusercontent.com as a CDN (even though you explicitly advise against people from doing this).

By your own account on this project's homepage:

Last month alone RawGit served over 4.2 billion requests and consumed more than 176 terabytes of bandwidth. Those numbers are simply unfathomable to me. They're almost too huge to be real.

With that kind of traffic, I can almost guarantee that there are hackers out there just waiting for your DNS entry and/or HTTPS cert for raw.githubusercontent.com to expire so that they can take over the domain.

I 100% respect your desire to no longer run RawGit. However, you need to be incredibly careful not to lose control of the HTTPS cert and DNS entry for this domain.

It's hypothesized that this sort of CDN takeover attack was recently utilized against British Airways to steal customers credit card numbers and other identifying information.

https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/

If you don't feel comfortable continuing to maintain the domain name for the next several years after shutting down the site, you may also want to consider contacting the GitHub team and discuss selling/giving them the raw.githubusercontent.com domain.

rgrove commented 5 years ago

Thanks for your concern!

To be clear, the domain githubusercontent.com is owned and controlled by GitHub. I have nothing to do with that domain, and it isn't going away.

I own and control the domains rawgit.com and rawgithub.com, and I intend to retain ownership and control of them forever, for exactly the reasons you've cited. Even after the RawGit service itself shuts down, I won't let the domains fall into anyone else's hands.