[elmin]

This is a little weird to me, because it's so easy to host your site a multitude of different ways. The notable thing about GH is its free, which makes complaining about it not having the one feature you want so odd. If you want that feature, pay the buck or two it will cost to host your site on CloudFront with something like Stout [1].

1: http://stout.is

[SXX]

You can as well deploy on OpenShift. They provide 3 small gears for free and allow SSL for bronze accounts (require credit card info, but no payments until you go over free limit).

https://www.openshift.com/

[jakobegger]

Github provides an all in-one hosting solution for Open Source projects. You can host code, bug tracker, binaries, and the project website all on Github. I use it to host http://postgresapp.com, for example. It's extremely convenient.

But there is one big gaping security hole: If your project page is served over plain HTTP, and people click on the download link, they are vulnerable to a man-in-the-middle attack. An attacker could change the link to point to a malicious binary instead.

The only way to prevent this is to make sure that your customers don't access your website over HTTP. And this is why HTTPS support for Github pages is important.

[nightcracker]

Can't a MITM change the DNS for "postgresapp.com" to one of their servers, regardless of HTTPS?

[jakobegger]

No. If the client connects via HTTPS, it will only connect to a server that presents a valid cert.

[bobfunk]

We provide both SNI based SSL (starting at $9 including the cert) and full SSL ($49) with CDN based hosting at https://www.netlify.com

As many other has noted, even when once in the future you'll be able to rely on free certificates from Let's Encrypt, serving millions of sites with different certificates (that needs to be replaced every 90 days) adds lots of complexity to any CDN based infrastructure and cost real money.

Apart from that, if you do just SNI based SSL you have to add support costs for explaining to people that don't know the implications, why things like some automation tools, old Android browsers, IE on Windows XP, etc, breaks.

And if you do full SSL you need to allocate lots of IP addresses at each CDN PoP which is expensive.

The certificate is just a small part of the equation when you're offering CDN based SSL.

[mslate]

Ironically, Stout does not support SSL "out of the box": https://github.com/EagerIO/Stout#ssl

[beefman]

Why is securing the web a hassle? Is it just that the certificate trust chain is so fluxored? (Crockford has an interesting perspective here in recent talks)

[CamatHN]

Thats another thing to configure and worry about though, especially if its just for open source side projects which can be hard to justify spending $ on.

Thats another service you have to monitor to see if its continuing, another service to be hacked, another account user/pass to have.

[pornel]

There's also a multitude of easy ways to host your own git repository and a bug tracker.

However, I prefer to use GitHub so that I have all of it in one place, including the website, and I don't have to spend time managing the infrastructure.

[ianstallings]

Although they do have free accounts, Github is not completely free. A lot of developers like myself use the paid plans simply because we go over the limits of the free accounts and use it for work (private repos).