Closed JLLeitschuh closed 5 years ago
Thanks for your concern!
To be clear, the domain githubusercontent.com
is owned and controlled by GitHub. I have nothing to do with that domain, and it isn't going away.
I own and control the domains rawgit.com
and rawgithub.com
, and I intend to retain ownership and control of them forever, for exactly the reasons you've cited. Even after the RawGit service itself shuts down, I won't let the domains fall into anyone else's hands.
Hi, First off, I want to thank you for running this service for the past 5 years. I know it's gained a lot of popularity. A quick search of GitHub shows that there are ~4 million uses of your site in code across GitHub.
The domain name raw.githubusercontent.com is incredibly valuable to a malicious actor looking to be able to serve their own malicious content to any site that is using raw.githubusercontent.com as a CDN (even though you explicitly advise against people from doing this).
By your own account on this project's homepage:
With that kind of traffic, I can almost guarantee that there are hackers out there just waiting for your DNS entry and/or HTTPS cert for raw.githubusercontent.com to expire so that they can take over the domain.
I 100% respect your desire to no longer run RawGit. However, you need to be incredibly careful not to lose control of the HTTPS cert and DNS entry for this domain.
It's hypothesized that this sort of CDN takeover attack was recently utilized against British Airways to steal customers credit card numbers and other identifying information.
https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/
If you don't feel comfortable continuing to maintain the domain name for the next several years after shutting down the site, you may also want to consider contacting the GitHub team and discuss selling/giving them the raw.githubusercontent.com domain.