Sounds like they are testing the fund raising mechanism.
The first goal is $1M in 30 days, the second is $5M in 30 more days. In both cases the funds will be matched, so they already have $6M near hand, and realistically there isn't that much more you can do with $12M that you can't do with $6M.
I suspect May is to get the first little news articles in the press (Kickstarter meets Elections, underdog to use super pac against super pacs). The June goal is for the follow up articles that should get more widespread coverage.
I'm all for putting campaign finance reform at the front of 2014 and 2016. I'm in.
###ALERT### Check for SSL before donating. As of now the page is not secured.
Edit: Broken autofill on the donation page? Come on, make it easy. I had to type characters and access my memory to make this happen instead of just clicking.
Lawrence and crew just responded to my tweet on this. They use Stripe, which is encrypted. The SSL certs for the page that is unencrypted will be up later today.
I'm very unhappy with their replies on Twitter. They can't just say that the information is going to Stripe and Stripe is safe.
The facts are, they have a form which asks people to put their credit card number in it. That form is on an unprotected page, which means it is vulnerable to some advanced attacks even before posting.
Further, the form posts back to the same unprotected page. I don't see any evidence of fancy Javascript behaviors to prevent the posting, but even if it were so, they are still putting their users in significant danger of having that information plucked out of the air by anyone who might be able to sniff the traffic on any leg of the trip from the user's Wifi all the way to the company's firewall.
The HTML of the form shows as POSTing to the same page, but the Stripe JS captures the submit event and cancels it, then makes an API call to Stripe's server via a secure connection. It works, but it is still somewhat vulnerable to MitM attacks.
I like @lessig's latest response. Much more firm and reassuring:
I'm pushing and anxious because this is exactly the sort of problem that could negatively impact the entire campaign, and I think there is worth to the goal. I hope they take a strong stance and fix it quickly rather than trying to placate and coast to a fix.
Looks like they got the cert deployed, although the process isn't directed to https yet. I hand-added https to the URL for the payment collection page and had no issues.
Yeah, I was going to donate but stopped as soon as I realized that (Thanks LastPass for warning me before auto-filling).
I submitted a comment on their feedback form letting them know, but I'm very surprised that Stripe would be involved and not help them avoid such a significant goof-up.
We have decided upon using Stripe as our payment processor. Stripe has offered us a very competitive rate (for which we thank them), and Stripe is compliant with PCI requirements and no sensitive data hits our servers. When you enter in your credit card information, it is not stored on the mayone.us site and goes directly to Stripe via the Stripe.js API.
The data sent to the Stripe API by the stripe.js code are safe, assuming you got an unmodified stripe.js and that other code was not injected into the page to sniff out the payment data you entered. All in all, your data are probably still safe but this was a definite major OOPS on their part regardless.
Originally, I was more worried because looking at just the HTML, it seemed that it was doing a straightforward post.
They are relying on the stripe.js code to abort the standard form submission and submit via SSL to Stripe's server. What you said still stands though and it is possible for that JS to be circumvented by design or by accident which could cause the information to be sent over an unsecured connection where it could be intercepted.
But since the page s served over HTTP, your browser has no way to know if it got the original page (which is probably safe) or if someone modified it in-transit to include malicious code.
The first goal is $1M in 30 days, the second is $5M in 30 more days. In both cases the funds will be matched, so they already have $6M near hand, and realistically there isn't that much more you can do with $12M that you can't do with $6M.
I suspect May is to get the first little news articles in the press (Kickstarter meets Elections, underdog to use super pac against super pacs). The June goal is for the follow up articles that should get more widespread coverage.
I'm all for putting campaign finance reform at the front of 2014 and 2016. I'm in.
###ALERT### Check for SSL before donating. As of now the page is not secured.
Edit: Broken autofill on the donation page? Come on, make it easy. I had to type characters and access my memory to make this happen instead of just clicking.