Hacker News new | past | comments | ask | show | jobs | submit login

Your money and info are absolutely not safe if they travel over http instead of https. No matter what they do with the data upon receipt.



The data sent to the Stripe API by the stripe.js code are safe, assuming you got an unmodified stripe.js and that other code was not injected into the page to sniff out the payment data you entered. All in all, your data are probably still safe but this was a definite major OOPS on their part regardless.


Originally, I was more worried because looking at just the HTML, it seemed that it was doing a straightforward post.

They are relying on the stripe.js code to abort the standard form submission and submit via SSL to Stripe's server. What you said still stands though and it is possible for that JS to be circumvented by design or by accident which could cause the information to be sent over an unsecured connection where it could be intercepted.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: