Lawrence and crew just responded to my tweet on this. They use Stripe, which is encrypted. The SSL certs for the page that is unencrypted will be up later today.
I'm very unhappy with their replies on Twitter. They can't just say that the information is going to Stripe and Stripe is safe.
The facts are, they have a form which asks people to put their credit card number in it. That form is on an unprotected page, which means it is vulnerable to some advanced attacks even before posting.
Further, the form posts back to the same unprotected page. I don't see any evidence of fancy Javascript behaviors to prevent the posting, but even if it were so, they are still putting their users in significant danger of having that information plucked out of the air by anyone who might be able to sniff the traffic on any leg of the trip from the user's Wifi all the way to the company's firewall.
The HTML of the form shows as POSTing to the same page, but the Stripe JS captures the submit event and cancels it, then makes an API call to Stripe's server via a secure connection. It works, but it is still somewhat vulnerable to MitM attacks.
I like @lessig's latest response. Much more firm and reassuring:
I'm pushing and anxious because this is exactly the sort of problem that could negatively impact the entire campaign, and I think there is worth to the goal. I hope they take a strong stance and fix it quickly rather than trying to placate and coast to a fix.
Looks like they got the cert deployed, although the process isn't directed to https yet. I hand-added https to the URL for the payment collection page and had no issues.
Yeah, I was going to donate but stopped as soon as I realized that (Thanks LastPass for warning me before auto-filling).
I submitted a comment on their feedback form letting them know, but I'm very surprised that Stripe would be involved and not help them avoid such a significant goof-up.
We have decided upon using Stripe as our payment processor. Stripe has offered us a very competitive rate (for which we thank them), and Stripe is compliant with PCI requirements and no sensitive data hits our servers. When you enter in your credit card information, it is not stored on the mayone.us site and goes directly to Stripe via the Stripe.js API.
The data sent to the Stripe API by the stripe.js code are safe, assuming you got an unmodified stripe.js and that other code was not injected into the page to sniff out the payment data you entered. All in all, your data are probably still safe but this was a definite major OOPS on their part regardless.
Originally, I was more worried because looking at just the HTML, it seemed that it was doing a straightforward post.
They are relying on the stripe.js code to abort the standard form submission and submit via SSL to Stripe's server. What you said still stands though and it is possible for that JS to be circumvented by design or by accident which could cause the information to be sent over an unsecured connection where it could be intercepted.
But since the page s served over HTTP, your browser has no way to know if it got the original page (which is probably safe) or if someone modified it in-transit to include malicious code.
Maybe naive, but that's a showstopper for me.