[DEinspanjer]

I'm very unhappy with their replies on Twitter. They can't just say that the information is going to Stripe and Stripe is safe. The facts are, they have a form which asks people to put their credit card number in it. That form is on an unprotected page, which means it is vulnerable to some advanced attacks even before posting. Further, the form posts back to the same unprotected page. I don't see any evidence of fancy Javascript behaviors to prevent the posting, but even if it were so, they are still putting their users in significant danger of having that information plucked out of the air by anyone who might be able to sniff the traffic on any leg of the trip from the user's Wifi all the way to the company's firewall.

[DEinspanjer]

Okay, my facts weren't entirely correct.

The HTML of the form shows as POSTing to the same page, but the Stripe JS captures the submit event and cancels it, then makes an API call to Stripe's server via a secure connection. It works, but it is still somewhat vulnerable to MitM attacks.

I like @lessig's latest response. Much more firm and reassuring:

https://twitter.com/lessig/status/461914159417147392

[nollidge]

I just hit "donate" and it took me to:

https://mayone.us/fec_compliance/

Sincere thanks to everybody who complained to them about this - I wouldn't have donated without HTTPS.

[dllthomas]

Did you miss the "SSL certs should go through later today"? I agree "it's going through Stripe" isn't enough, of course.

[justindz]

Agreed. In its current state, I will not participate.

[DEinspanjer]

I'm pushing and anxious because this is exactly the sort of problem that could negatively impact the entire campaign, and I think there is worth to the goal. I hope they take a strong stance and fix it quickly rather than trying to placate and coast to a fix.