Wufoo Block, Stripe and Secure Ordering
I added an order form with the new Wufoo block, which looks good. Wufoo partners with Stripe for payments and if you use them it integrates the payment screen in your website instead of opening a new window. This is really cool and makes us look good.
My concern is whether or not this is secure ordering. Stripe mentions things that need to be in order for it to be secure but it is confusing and I can't tell what does or does not apply with the Smugmug-Wufoo integration. My website is not https and I don't know if it can be. If it can be, that would be an answer.
What I have is under Order Form on the menu. I have done a live test and it seems to work. Any knowledge on secure ordering this way would be appreciated.
Joe Filer
My concern is whether or not this is secure ordering. Stripe mentions things that need to be in order for it to be secure but it is confusing and I can't tell what does or does not apply with the Smugmug-Wufoo integration. My website is not https and I don't know if it can be. If it can be, that would be an answer.
What I have is under Order Form on the menu. I have done a live test and it seems to work. Any knowledge on secure ordering this way would be appreciated.
Joe Filer
I use Wufoo and Stripe on my workshops business, and I let the transaction happen on Wufoo's https side.
Portfolio • Workshops • Facebook • Twitter
It would appear your "Sign Me Up" link on your workshops opens a new https wufoo window, which I know would be secure from that point on. Not that there is anything wrong with that but I thought it would be cool to avoid the new window, which is doable, just not sure if secure.
Do you know if there is any issue on Smugmug's part if we have our hosting upgrade to a security certificate? Would want to be sure it is allowed before going that route.
Joe Filer
Portfolio • Workshops • Facebook • Twitter
That's what it would take to have a Wufoo form embedded in your SmugMug site with a lock icon showing in the browser, if that was your goal.
A Wufoo form embedded in a SmugMug page is not secure against an active attacker - they could modify your (unencrypted) SmugMug page before it reaches the visitor, to swap out the Wufoo content block for one of their own that just steals all the customer data. It is only secure against a passive attacker (one who can only listen to traffic on the wire), assuming that Wufoo is submitting the data to their own HTTPS page. Web browsers don't show a lock icon if you are only getting security against passive attackers.
Please check out my gallery of customisations for the New SmugMug, more to come!