The site's FAQ admits that it'll engage in what is basically a man-in-the-middle attack against content that receives heavy traffic, for instance. See the "rawgithub.com will start serving evil.js and evil.css instead of requested JS and CSS files" part of one of the answers.
If the content being served will be modified in some cases, is there really anything preventing it from being modified in a different (perhaps more malicious) way in some other cases?
Like anything else, a service like this is itself susceptible to breach, of course. There's always the potential that it gets compromised, and starts acting in a malicious manner, initially undetected by its creators/operators/users.
Some may argue that this is acceptable risk for content served up for demonstration purposes. I'm not certain that's necessarily true. A demo being unexpectedly modified in a harmful way (racial slurs inserted into a web site's text, malicious JavaScript being injected, and so on) could seriously affect the demo giver's reputation, for example.
It's not difficult, nor expensive, to set up your own publically-facing web server. If already using GitHub, git makes it quite simple to fetch and update any content being served up. While there is still risk associated with such a setup, you are cutting out at least one other party by doing things yourself, avoiding the harm they could potentially cause. So services of this type seem quite unnecessary, and perhaps more of a risk than they're worth.
I first thought he meant it was a horrible idea for the owner of RawGithub.com: serving arbitrary JavaScript. But that shouldn't be a problem as long as long you use a completely separate domain and never care about cookies.
As for the users of the service: it's not any less secure than running JavaScript from any other web server. You can of course never trust that it's serving the correct data, but I don't see how that's horrible security wise. If you're going to demo it yourself you can easily clone the repo yourself (or setup gh-pages). This is for users who want to quickly check out someone else's repo without cloning it.
A lot of this complaint also applies to raw.github.com. Much of it applies anyone who provides an online service of any sort.
> If the content being served will be modified in some cases, is there really anything preventing it from being modified in a different (perhaps more malicious) way in some other cases?
Malicious modifications would be unethical and possibly illegal. Malicious modifications would also likely make customers who noticed them abandon the service and tell the world about the situation. Of course, these facts would only stop the service providers if they care about ethics, legality, retention or reputation. I'm assuming that this particular service provider does, because the Github repo where the code is hosted mentions the author's real name [1].
[1] Whether someone reveals their real name isn't a perfect test of malicious intent [2]. A malicious provider might make up a fake name to build trust, and many people -- myself included -- lack malicious intent, but prefer to remain anonymous.
[2] A perfect test to tell whether an RFC-compliant web service is malicious is to test the evil bit, as specified in RFC 3514. To quote from it, "Benign packets have [the evil] bit set to 0; those that are used for an attack will have the bit set to 1... An application/evil MIME type is defined for Web- or email-carried mischief."
This service is all about work-in-progress and demo projects. Just to show it off for a quick demo or whatever. You're completely right, but also missed the point of this tool completely.
The site's FAQ admits that it'll engage in what is basically a man-in-the-middle attack against content that receives heavy traffic, for instance. See the "rawgithub.com will start serving evil.js and evil.css instead of requested JS and CSS files" part of one of the answers.
If the content being served will be modified in some cases, is there really anything preventing it from being modified in a different (perhaps more malicious) way in some other cases?
Like anything else, a service like this is itself susceptible to breach, of course. There's always the potential that it gets compromised, and starts acting in a malicious manner, initially undetected by its creators/operators/users.
Some may argue that this is acceptable risk for content served up for demonstration purposes. I'm not certain that's necessarily true. A demo being unexpectedly modified in a harmful way (racial slurs inserted into a web site's text, malicious JavaScript being injected, and so on) could seriously affect the demo giver's reputation, for example.
It's not difficult, nor expensive, to set up your own publically-facing web server. If already using GitHub, git makes it quite simple to fetch and update any content being served up. While there is still risk associated with such a setup, you are cutting out at least one other party by doing things yourself, avoiding the harm they could potentially cause. So services of this type seem quite unnecessary, and perhaps more of a risk than they're worth.