Add lesson footnote to avoid potential security exploit? #2874
Description
Hello!
Overview: I am requesting consideration of adding a footnote to the following lessons to help readers avoid a potential security exploit:
- "Building a static website with Jekyll and GitHub Pages" https://github.com/programminghistorian/jekyll/blob/gh-pages/en/lessons/building-static-sites-with-jekyll-github-pages.md
- "Creación de sitios estáticos con Jekyll y GitHub Pages" https://github.com/programminghistorian/jekyll/blob/gh-pages/es/lecciones/sitios-estaticos-con-jekyll-y-github-pages.md (I am unable to translate this text myself, but the Spanish version of that lesson may also benefit from the addition of this footnote if the editors and translators of that lesson think so too)
- "Running a Collaborative Research Website and Blog with Jekyll and GitHub" https://github.com/programminghistorian/jekyll/blob/gh-pages/en/lessons/collaborative-blog-with-jekyll-github.md (co-authored with @walshbr, who has agreed to my making this request)
The issue: I was recently made aware of a security exploit that can be prevented by two GH and DNS settings, which despite my experience with all these things I hadn't previously known (I believe the exploit may have first been reported last fall). If you set up a GH Pages site from a GH repo to use a cusom domain (rather than the default github.io domain), certain settings allow a malicious or accidental actor to create their own site reachable by a subdomain of your domain (e.g. I set up awesome.dogs.com, other person could set up fake.dogs.com despite my owning dogs.com). More info in this Twitter thread. Simple changes to DNS settings and use of a user-level (not repo-level) GH setting can help avoid this, but these are easily missed and not viewable from a specific repo's GH Pages/custom domains settings areas.
Urgency level: Medium?
- These lessons do not directly cover how to do the work that would make a site vulnerable (adding a custom domain name to the site the lessons directly tell you how to set up).
- However, the lessons do mention that adding a custom domain is a post-lesson next-step option.
- I would be okay if you don't think this addition should be made to the lesson (including because it requires some extra work), but adding a footnote rather than change to the main lesson text felt like a good balance of keeping readers safe, while not constantly suggesting updates to lessons around things not directly covered in the lessons?
- This achieve's PH's goal of taking reasonable steps toward lesson readers not doing something that would make them vulnerable to a security exploit.
- This exploit may have been around for a while, but recent discussion and a series of videos demonstrating the exploit might make it more urgent to make this change.
Actions requested
-
On this lesson, add a footnote at the end of the sentence "Instructions on setting up a custom domain name can be found here." The footnote text should be: "If you set up a custom domain with your GitHub Pages-hosted website, to avoid a known security exploit please make sure to also read and follow the steps in GitHub’s documentation to both verify your domain and avoid using wildcard DNS records.”
-
On this lesson, add a footnote at the end of the sentence that ends with "switch your website to using that instead of username.github.io/repo-name but still use GitHub Pages’ free hosting". The footnote text should be: "If you set up a custom domain with your GitHub Pages-hosted website, to avoid a known security exploit please make sure to also read and follow the steps in GitHub’s documentation to both verify your domain and avoid using wildcard DNS records.”
Thank you!