Hacker News new | past | comments | ask | show | jobs | submit login

Technically, no. The payment happens within an iframe secured with https: https://www.simplegoods.co/embed/PKGTEISN



The issue with it however is that the initial page is delivered over an insecure connection, which allows any part of it to be modified in the usual MITM style. Nothing prevents an attacker from changing the link that is served to the client with something else that looks like that payment system and functions the same, but logs the payment information. There's a reason Firefox now disallows mixed HTTP/HTTPS content by default[0]

[0] - https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-bloc...


In other words: yes, it's vulnerable to SSL stripping.


If the main page is insecure, then everything is insecure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: