Lawrence and crew just responded to my tweet on this. They use Stripe, which is encrypted. The SSL certs for the page that is unencrypted will be up later today.
I'm very unhappy with their replies on Twitter. They can't just say that the information is going to Stripe and Stripe is safe.
The facts are, they have a form which asks people to put their credit card number in it. That form is on an unprotected page, which means it is vulnerable to some advanced attacks even before posting.
Further, the form posts back to the same unprotected page. I don't see any evidence of fancy Javascript behaviors to prevent the posting, but even if it were so, they are still putting their users in significant danger of having that information plucked out of the air by anyone who might be able to sniff the traffic on any leg of the trip from the user's Wifi all the way to the company's firewall.
The HTML of the form shows as POSTing to the same page, but the Stripe JS captures the submit event and cancels it, then makes an API call to Stripe's server via a secure connection. It works, but it is still somewhat vulnerable to MitM attacks.
I like @lessig's latest response. Much more firm and reassuring:
I'm pushing and anxious because this is exactly the sort of problem that could negatively impact the entire campaign, and I think there is worth to the goal. I hope they take a strong stance and fix it quickly rather than trying to placate and coast to a fix.
Looks like they got the cert deployed, although the process isn't directed to https yet. I hand-added https to the URL for the payment collection page and had no issues.