You're viewing a comment by EJ and its responses.
|
Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations. (For example, if you have four groups working on a compiler, you'll get a 4-pass compiler) |
About the site:
Twitter
Facebook
Plurk
more
GitHub
LinkedIn
FriendFeed
Google PlusSubscribe to my posts:
Server Sponsors
I am being sponsored by Syntress! They bought me an amazing dedicated server to run catonmat on. If you're looking web services, I highly recommend the Syntress guys!
Education Sponsors
I am being sponsored by A-Writer! If you ever need help with essay writing, look no further than A-Writer! They will help you with your writing in as quickly as 3 hours!
My Amazon Wish List
I love to read science books. They make my day and I get ideas for awesome blog posts, such as Busy Beaver, On Functors, Recursive Regular Expressions and many others.
Take a look at my 
Amazon wish list, if you're curious about what I have planned reading next, and want to surprise me. :)
My Other Websites
Top Ten Articles:
- Top Ten One-Liners from CommandLineFu Explained
- My Job Interview at Google
- MIT's Introduction to Algorithms, Lectures 1 and 2: Analysis of Algorithms
- Famous Awk One-Liners Explained, Part I: File Spacing, Numbering and Calculations
- The Definitive Guide to Bash Command Line History
- Working Productively in Bash's Vi Command Line Editing Mode (with Cheat Sheet)
- Famous Sed One-Liners Explained, Part I: File Spacing, Numbering and Text Conversion and Substitution
- Vim Plugins You Should Know About, Part VI: nerd_tree.vim
- Vim Plugins You Should Know About, Part I: surround.vim
- Low Level Bit Hacks You Absolutely Must Know
Top Ten Downloads:
- awk cheat sheet (.pdf) (106,196)
- bash history cheat sheet (.pdf) (92,064)
- perl's pack/unpack and printf cheat sheet (.pdf) (80,823)
- sed stream editor cheat sheet (.pdf) (71,817)
- screen cheat sheet (.pdf) (58,543)
- perl's special variable cheat sheet (.pdf) (54,616)
- bash vi editing mode cheat sheet (.pdf) (50,009)
- perl1line.txt (49,821)
- the bill gates song.mp3 (musical geek friday #8) (47,175)
- crypt-o.mp3 (musical geek friday #1) (45,491)
Recent Articles:
- Announcing real IEs for Browserling
- Introduction to Perl one-liners
- A quine in node.js
- A poem about division from Hacker's Delight
- The curious case of the DES algorithm
- A proof that Unix utility "sed" is Turing complete
- Review of Clickatell's SMS Service
- Here is why vim uses the hjkl keys as arrow keys
- Announcing dedicated servers for Browserling
- Announcing my third e-book "Perl One-Liners Explained"
Article Categories:
- Awk Programming (8)
- Browserling Startup (12)
- Cheat Sheets (9)
- Computer Science (9)
- Hacker's Approach (5)
- Howto (10)
- Introduction to Algorithms (15)
- Linear Algebra (6)
- Mathematics (1)
- Misc (9)
- Musical Geek Friday (17)
- Node.js Modules (15)
- Perl Programming (14)
- Programming (31)
- Projects (13)
- Security (1)
- The New Catonmat (1)
- Tools (1)
- Unix Shell (18)
- Video Lectures (17)
- Visual Math Friday (1)
Article Archive:
- May, 2012 (3)
- April, 2012 (4)
- March, 2012 (2)
- February, 2012 (1)
- January, 2012 (4)
- December, 2011 (15)
- November, 2011 (3)
- October, 2011 (2)
- September, 2011 (2)
- August, 2011 (3)
- July, 2011 (1)
- June, 2011 (2)
- May, 2011 (1)
- April, 2011 (1)
- March, 2011 (1)
- February, 2011 (1)
- January, 2011 (1)
- December, 2010 (2)
- November, 2010 (1)
- October, 2010 (1)
- September, 2010 (1)
- August, 2010 (2)
- July, 2010 (2)
- June, 2010 (2)
- May, 2010 (2)
- April, 2010 (2)
- March, 2010 (5)
- February, 2010 (5)
- January, 2010 (7)
- December, 2009 (6)
- November, 2009 (6)
- October, 2009 (2)
- September, 2009 (3)
- August, 2009 (2)
- July, 2009 (4)
- June, 2009 (1)
- April, 2009 (1)
- March, 2009 (2)
- February, 2009 (7)
- January, 2009 (4)
- December, 2008 (8)
- November, 2008 (7)
- October, 2008 (4)
- September, 2008 (5)
- August, 2008 (9)
- July, 2008 (14)
- June, 2008 (4)
- May, 2008 (5)
- April, 2008 (8)
- March, 2008 (3)
- February, 2008 (1)
- January, 2008 (1)
- November, 2007 (1)
- October, 2007 (3)
- September, 2007 (5)
- August, 2007 (10)
- July, 2007 (9)
Advertisements
Advertisements
Advertisements
Stripe seems pretty scary. One typo, e.g. forget to return false from the submit handler, and poof your credit card data is sent in the clear to an unsecured server. It would be far better if your credit card was entered in a separate pop-up window hosted on stripe or even better if there was something like Facebook connect for credit card companies so you cc num never is typed into a 3rd party site.
Comment Responses
The stripe.js file is loaded in via an https server, and presumably anyone implementing this will be smart enough to only host their own server-side calls via https as well.
Anywhere you input your credit card number in a form, you are putting trust the domain actually hosting that form to be following a few basic steps like this -- you can't blame the processing library (stripe, paypal, whatever) for naively insecure (or malicious) implementations by an end-user (read: unknown new e-commerce website). That happens with every payment processing library somewhere in the world at some point, it's up to users to realize the site is a scam (regardless of their supposed use of a credible payment processor).
This actually looks like a pretty foolproof system, it'd be hard to inadvertently share a customer's information using a procedure like this, even when trying to purposely mess up the implementation step in common JS ways. The only things the server-side code could potentially share inadvertently are the customer's email address, and an encrypted identification token. And assuming this is all via https, even those are still encrypted.
The thing is, I don't see anything the example code above to indicate that this is hosting any part of the app (the form or the node.js server app) via https. Am I missing something?
The node.js code doesn't reference any .pem files. Was this left out for the sake of concision? Or if not, how is this an https server?
The entire stripe library is loaded in via https:// and all AJAX calls are done vai https://. in other words, stripe.js is entirely secure. The only risk you have of loosing ANYTHING is the token that stripe returns, which is useless unless you have the secret key (which is secret and stored server-side)..
Reply To This Comment