Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't Github Pages hosted on S3? That would explain the lack of TLS on custom domains.

Anyway, this is a very major security flaw. Lots of software uses Github pages for the project website. If you put a download link on an unsecure page, you are putting all your customers st risk.



Githug Pages is their own infrastructure for hosting files and static sites: http://githubengineering.com/rearchitecting-github-pages/

Also the download files themselves can be hosted on Github repos as releases which supports TLS.


Hosting the downloads themselves via HTTPS is completely useless if the link to that file is transferred over HTTP.


Link to the repo/releases page...


Jesus Christ, you really don't understand, do you?

If the original website is insecure, everything could be faked, including the link to the releases page.

If HN readers don't understand this, who does?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: