First of all, any subdomain system domain is already a bit phishy because you need to somehow parse whether github.io is officially part of github.com and not say something like git-hub.xyz by a phisher or whatever new TLD there. These things are used by sysadmin/project pairs that can't budget 1$/month for a domain name, so it's 100% a security/price tradeoff.
Second of all, the actual domain host is publishing as one of these untrusted users on their alternate subdomain, so it could be a phisher using a subdomain of the official alternate domain with malicious material
Thirdly, even if it is all legit, it is still a problem, because it weakens security posture, it trains users to ignore domain names.
I understand if it appears subtle, but I wish that we lived in a world where whoever is responsible for this gets put on a PIP
I get your general objections, but not in this specific case. Github has been using Github.io for pages since 2013 and it's been the de facto developer platform at least as long (and all other developer tools follow the same pattern when publishing user generated content). Unless GH has a massive vulnerability that hasn't been discovered yet, no one is publishing to *.github.github.io except for the official Github organization. That has been more stable than Linux syscalls and Windows GUI frameworks.
Would it really make a difference if they just added a CNAME from foobar.github.com to point at github.github.io?
Would it really make a difference if they just added a CNAME from foobar.github.com to point at github.github.io?
Yes, that would help, but it's not very discoverable.
I think a certificate mechanism would be much more appropriate for that.
The SSL certificate should be emitted for github.com and github.io
Of course since github.io is rented out, it doesn't make sense. But if you ever have an alias, that's the way to do it, if I get a link to getproduct.com and it gets redirected to product.com I can check the cert and see that it was issued for both domains.
First of all, any subdomain system domain is already a bit phishy because you need to somehow parse whether github.io is officially part of github.com and not say something like git-hub.xyz by a phisher or whatever new TLD there. These things are used by sysadmin/project pairs that can't budget 1$/month for a domain name, so it's 100% a security/price tradeoff.
Second of all, the actual domain host is publishing as one of these untrusted users on their alternate subdomain, so it could be a phisher using a subdomain of the official alternate domain with malicious material
Thirdly, even if it is all legit, it is still a problem, because it weakens security posture, it trains users to ignore domain names.
I understand if it appears subtle, but I wish that we lived in a world where whoever is responsible for this gets put on a PIP