Options

Wufoo Block, Stripe and Secure Ordering

jfilerjfiler Registered Users Posts: 42 Big grins
edited August 14, 2013 in SmugMug Customization
I added an order form with the new Wufoo block, which looks good. Wufoo partners with Stripe for payments and if you use them it integrates the payment screen in your website instead of opening a new window. This is really cool and makes us look good.

My concern is whether or not this is secure ordering. Stripe mentions things that need to be in order for it to be secure but it is confusing and I can't tell what does or does not apply with the Smugmug-Wufoo integration. My website is not https and I don't know if it can be. If it can be, that would be an answer.

What I have is under Order Form on the menu. I have done a live test and it seems to work. Any knowledge on secure ordering this way would be appreciated.

Joe Filer
www.photographsbynature.com

Comments

  • Options
    AndyAndy Registered Users Posts: 50,016 Major grins
    edited August 14, 2013
    You'd have to get a security certificate (ck with your domain host).
    I use Wufoo and Stripe on my workshops business, and I let the transaction happen on Wufoo's https side.
    Andy

    PortfolioWorkshopsFacebookTwitter
  • Options
    jfilerjfiler Registered Users Posts: 42 Big grins
    edited August 14, 2013
    Andy wrote: »
    You'd have to get a security certificate (ck with your domain host).
    I use Wufoo and Stripe on my workshops business, and I let the transaction happen on Wufoo's https side.

    Andy-

    It would appear your "Sign Me Up" link on your workshops opens a new https wufoo window, which I know would be secure from that point on. Not that there is anything wrong with that but I thought it would be cool to avoid the new window, which is doable, just not sure if secure.

    Do you know if there is any issue on Smugmug's part if we have our hosting upgrade to a security certificate? Would want to be sure it is allowed before going that route.

    Thanks,

    Joe Filer
    www.photographsbynature.com
  • Options
    AndyAndy Registered Users Posts: 50,016 Major grins
    edited August 14, 2013
    I don't know. Sorry.
    Andy

    PortfolioWorkshopsFacebookTwitter
  • Options
    thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited August 14, 2013
    You can't serve your SmugMug site over HTTPS, if that's what you're asking - that would require SmugMug to be encrypting traffic with a private key for your domain name, which they don't support.

    That's what it would take to have a Wufoo form embedded in your SmugMug site with a lock icon showing in the browser, if that was your goal.

    A Wufoo form embedded in a SmugMug page is not secure against an active attacker - they could modify your (unencrypted) SmugMug page before it reaches the visitor, to swap out the Wufoo content block for one of their own that just steals all the customer data. It is only secure against a passive attacker (one who can only listen to traffic on the wire), assuming that Wufoo is submitting the data to their own HTTPS page. Web browsers don't show a lock icon if you are only getting security against passive attackers.
    https://www.sherlockphotography.org/

    Please check out my gallery of customisations for the New SmugMug, more to come!
Sign In or Register to comment.