undefined | Better HN

0 pointshtaunay9y ago0 comments

404 is Github's default answer for when you try to access a private repo you don't have access to.

You can test it by logging out of our account and attempting to access a private repo url you usually can access.

0 comments

5 comments · 2 top-level

jandrese9y ago· 3 in thread

Shouldn't this be a 403? Making it a 404 is confusing.

The primary reason to do this is the same as why most logins will just say "incorrect username or password" rather than revealing the username is in fact, correct, and just the password is wrong. You don't want to reveal the identity or location of something that is hidden. If I have an unannounced project at github.com/ocdtrekkie/unannouncedproject, you might discover the name of my unannounced project by fishing for URLs that come up 403 instead of 404.

Confirming something exists narrows what someone looking to find out something secret has to look for. If you know what my username is, you only have to guess passwords for that username. If you know what my project name is, you only need to look for references elsewhere to that project name.

Just knowing the project exists could be telling, if your project was like... github.com/apple/nintendo-igameboyphone it would potentially be a really revealing thing if you hadn't announced it yet. Slack had a big fiasco when entering a fake @whatever.com address would let someone see whatever.com's teams prior to email verification. From just room names alone you could discern some potential acquisitions in negotiation, teams at Microsoft or Apple you might not have otherwise known existed, etc.

MichaelGG9y ago

A command line timing attack I just tried seems to be able to distinguish between the two. It seems that, as a logged-in user, the real repo takes around 5% longer to respond than a fake one. But this might not be robust - I just used time + loop in bash. Perhaps someone wants to setup a list of nonpublic+fake repos and see if there's consistent difference.

jandrese9y ago

Seems to me if you don't want a project to be public knowledge don't put it on the Internet. Private projects are what internal repositories are for. You can always transition it to Github once it's open to the public.

At the very least, the administrators at Github are going to know about your project, and you don't know who they all are.

jimcsharp9y ago

I was just noodling about this idea for my current project. I suppose 403ing would enable an adversary to know if something exists or not?

j / k navigate · click thread line to collapse