[watsissl]

This site is asking for my credit card but I don't see any SSL or VeriSign insignia. I want to support this cause but I never provide a credit card on a non-secured site, am I being paranoid or misunderstanding something here?

[jc00ke]

Good catch. While the site isn't served over SSL, the actual Wufoo form is. And Stripe (who we're using to process the payments) only allows payments over SSL (https://stripe.com/help/ssl) so your information is safe.

[_jsn]

Admirable, but this doesn't really help the scenario where the outer page is intercepted and modified to serve a different iframe. (This is a common attack on pages that e.g. serve login forms over http, even though the form submits to https. Just change the form in-flight.)

[watsissl]

Thanks for the clarification!

[anfedorov]

If you inspect the source, you'll see that the form where you enter your credit card is an https site in an iframe. That will protect you against a passive MITM attack, which is what most people worry about when submitting credit cards to a website.