from Hacker News

Please petition GitHub to support HTTPS on GitHub pages

by cayblood on 11/27/15, 3:54 AM with 68 comments

by elmin on 11/27/15, 4:59 AM
This is a little weird to me, because it's so easy to host your site a multitude of different ways. The notable thing about GH is its free, which makes complaining about it not having the one feature you want so odd. If you want that feature, pay the buck or two it will cost to host your site on CloudFront with something like Stout [1].
1: http://stout.is
by leighmcculloch on 11/27/15, 4:58 AM
You can use CloudFlare with a custom domain in front of Github Pages. It works. I do this for https://github.com/leighmcculloch/5tweets.com which you can see SSL'd at https://5tweets.com.
by diafygi on 11/27/15, 6:19 AM
FYI, when Let's Encrypt goes public in a week, you'll be able to get free certs without having to install anything by using https://gethttpsforfree.com
Fun fact, the website is just a reverse proxied github static page: https://diafygi.github.io/gethttpsforfree
by alfredxing on 11/27/15, 5:11 AM
I'd love to see SSL support on custom domains as well, but I know there are a couple of reasons why it hasn't happened already:
1. GitHub Pages likely isn't a core focus for GitHub, however useful it may be
2. GitHub Pages is currently completely interface-less, relying only on an automated build system running each site through Jekyll and deploying it. In order to support custom certificates, they would need to build an interface for certificate uploading/maintenance (and of course putting the certs & keys into the repo, like the current CNAME system, won't work).
by kevindeasis on 11/27/15, 4:51 AM
+1
But are you guys seriously going to spam github/contact or support@github.com ?
Because if that was my inbox. I'd be pissed looking at thousands of emails that contain the same body.
by joeyrideout on 11/27/15, 5:02 AM
I agree with imbriaco's sentiment from the linked discussion - using a CDN or some other host that supports SSL to host your static site is a good solution. I recently migrated my GitHub pages site to Amazon S3 and Cloudfront. I had to buy a cheap Comodo SSL certificate and upload it to AWS to get it working with my custom domain, but the documentation[1] was good enough that it didn't take me very long at all.
[1] http://docs.aws.amazon.com/AmazonCloudFront/latest/Developer...
by detaro on 11/27/15, 4:07 AM
What's missing in all that is that they are talking about HTTPS for custom domains, username.github.io supports HTTPS already.
by jstoiko on 11/27/15, 4:57 AM
Maybe let people star a dedicated repo instead of sending an email to github.
by bad_user on 11/27/15, 10:02 AM
While GitHub has a free account, it gets quite expensive when you start paying. And GitHub Pages is a complementary add-on and many of us stayed on GitHub because of nice things like this. I do agree that it isn't their core focus and that people could host their stuff somewhere else for cheap.
However there is something to be said about making encrypted connections the standard. Chrome and Firefox will only support encrypted HTTP 2.0 connections. So if GitHub Pages does not provide HTTPS for custom domains, then it won't support HTTP 2.0. Adding HTTPS support is also the right thing to do given the recent attacks on privacy.
Yes, GitHub Pages is a free add-on that isn't their competency, but in my opinion they should either drop it completely, or support HTTPS. Because otherwise they are keeping the web back due to their popularity.
by alaaibrahim on 11/27/15, 5:06 AM
Yeah, and please send me a free flying car while you are at it.
Obviously everybody would like that, but it's not as easy as it seams. As github pages, technically are virtual domains, they share the same ip with many other pages, if you want to support https, you need to serve either each page on a different ip (not free), or they need a to configure multidomain ssls (which everytime they need to add a new domain, that means they have to reset the certificate for the other domains on the same ip), and I think there is a limit on the number of domains that can share the same ip - citation needed - . And all of this for free.
Want SSL on gh pages, setup a proxy infront of gh pages.
by aritraghosh007 on 11/27/15, 5:11 AM
Its quite a co-incidence that I scouted for an answer for this today while I was setting up SSL for my gh-pages. As already pointed out by some comments, its not quite as simple as we think it is to have GitHub extend SSL for its pages. Its for the same reason that Tumblr doesn't allow SSL support for custom domain either. IMHO, CloudFlare is probably the simplest workaround to get SSL enabled for your gh-pages. Link on how to https://me.net.nz/blog/github-pages-secure-with-cloudflare/
by SamReidHughes on 11/27/15, 6:35 AM
What's missing is, why? It's a static site, so you won't get any real privacy about what you're reading. If you have binaries to distribute, you have other features for releasing them that let you use TLS.
by fibo on 11/27/15, 8:19 AM
I also have my personal website on GH pages + Cloudflare. If it is for a static web site I think it is ok, and thanks to both companies that gives us this service for free.
If you pretend more you can pay and use AWS or some other service.
by stephentmcm on 11/27/15, 5:13 AM
Of note guys there's a little ! icon button in the top of the page to report this gist. It's basically encouraging spam and as everyone has pointed out, is likely not technically sound.
by kentbrew on 11/27/15, 6:33 AM
Worth noting: https works on yourname.neocities.org.
by Sir_Cmpwn on 11/27/15, 5:24 AM
I add SSL through a proxy to GitHub pages.
by zackify on 11/27/15, 4:03 AM
Been wanting built in ssl forever.
by jakobegger on 11/27/15, 6:22 AM
Isn't Github Pages hosted on S3? That would explain the lack of TLS on custom domains.
Anyway, this is a very major security flaw. Lots of software uses Github pages for the project website. If you put a download link on an unsecure page, you are putting all your customers st risk.