[kwlug-disc] Free web storage for static HTML?

Paul Nijjar paul_nijjar at yahoo.ca
Sun Oct 19 15:18:30 EDT 2025 

I agree that you would have been safe from this particular attack. But
self-hosting does not mean you are home free: 

- You still have to worry about domain renewal and DNS squatting

- You have to make sure your DNS is updated when your IP address
  changes (which is less issue if you are hosting in the cloud, but if
  you are hosting in the cloud then your hosting is no longer free
  (granted buying a domain name also makes your hosting not free)). 

- If you are hosting from home, your ISP might block you arbitrarily for
  hosting servers on the Internet connection you pay for. (Does Rogers
  still do this?)

- You still have to deal with setting up and maintaining SSL certs.
  With Let's Encrypt this is much easier than before but it still
  takes some work. 

- You had better keep up with security updates, and you probably want
  to configure a strong firewall.

The only headache-free option is not to play. I don't know whether
going with self-hosting or cloud hosting is less headache overall. 

- Paul

On Sun, Oct 19, 2025 at 03:00:58PM -0400, Chris Frey wrote:
> Some folks might read this and think "oh no! administration is a
> headache and I can't cover all these bases!  I'd better not run my own
> stuff."
> 
> But this is a case where if you ran your own DNS, and your own webserver,
> you'd have been protected from this, even with a wildcard CNAME.
> 
> The key is by using the free github service, which is also used by
> millions of other people, you need to be on your guard.  But there
> is nobody setting up spammy-crap.rmoff.info in your own webserver,
> so you'd have been safe by default.
> 
> - Chris
> 
> 
> On Sun, Oct 19, 2025 at 02:39:08PM -0400, Paul Nijjar via kwlug-disc wrote:
> > 
> > This attack was sneaky. The gambling site was also hosted on github.io
> > , and the attacker just pointed their CNAME for the site to
> > waterlooregionvotes.org . 
> > 
> > The PSA here is that if you are hosting a custom domain on github
> > pages then you should verify the domain with a TXT record: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages
> > 
> > If you do not verify your domain then people can snipe the CNAME from
> > under you when you try to switch the domain to another project (which
> > is what happened in this situation). 
> > 
> > Our site is not fixed yet but it will no longer promote indonesian
> > gambling. The hard part is that I do not see a way to identify the
> > account that stole our CNAME.
> > 
> > You also need to be careful about being too generous with subdomains.
> > See: https://rmoff.net/2024/01/16/hosting-on-github-pages-watch-out-for-subdomain-hijacking/
> > 
> > - Paul
> > 
> > On Sun, Oct 19, 2025 at 01:20:13PM -0400, Paul Nijjar via kwlug-disc wrote:
> > > 
> > > It looks like the waterlooregionvotes.org site has been taken over by
> > > an Indonesian gambling site. I will ask the current maintainers of the
> > > site to investigate. In the meantime you don't want to go there. 
> > > 
> > > - Paul
> > > 
> > > On Sun, Oct 19, 2025 at 01:49:46AM -0400, Paul Nijjar via kwlug-disc wrote:
> > > > 
> > > > Github pages should work? So should Gitlab pages.
> > > > waterlooregionvotes.org is on github pages.
> > > > 
> > > > If you want to go old school you could use neocities.org . I have my
> > > > blog mirrored there for free.
> > > > 
> > > > - Paul
> > > > 
> > > > On Sun, Oct 19, 2025 at 01:28:48AM -0400, William Park via kwlug-disc wrote:
> > > > > Trying to help out few non-techie people, but I'm also interested
> > > > > personally...
> > > > > 
> > > > > How do you make *static HTML* files available online for *free?*
> > > > > 
> > > > > I looked at
> > > > > 
> > > > >  * Google Site -- you can't upload html file
> > > > >  * Dropbox -- it shows you the text content of HTML files.
> > > > >  * GitHub -- same thing.
> > > > > 
> > > > > Failing that, I'm considering
> > > > > 
> > > > >  * Put the files on USB stick, and plug it into router.� It has
> > > > >    web/file server.� I would have to register DDNS, though.
> > > > >  * Set up web server on a Linux computer.� But, I don't want to be
> > > > >    "tech support".
> > > > 
> > > > > _______________________________________________
> > > > > kwlug-disc mailing list
> > > > > To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> > > > > with the subject "unsubscribe", or email
> > > > > kwlug-disc-owner at kwlug.org to contact a human being.
> > > > 
> > > > 
> > > > _______________________________________________
> > > > kwlug-disc mailing list
> > > > To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> > > > with the subject "unsubscribe", or email
> > > > kwlug-disc-owner at kwlug.org to contact a human being.
> > > 
> > > _______________________________________________
> > > kwlug-disc mailing list
> > > To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> > > with the subject "unsubscribe", or email
> > > kwlug-disc-owner at kwlug.org to contact a human being.
> > 
> > _______________________________________________
> > kwlug-disc mailing list
> > To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> > with the subject "unsubscribe", or email
> > kwlug-disc-owner at kwlug.org to contact a human being.
> 
> _______________________________________________
> kwlug-disc mailing list
> To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> with the subject "unsubscribe", or email
> kwlug-disc-owner at kwlug.org to contact a human being.

More information about the kwlug-disc mailing list