2

There is a site called www.mysite.com. It uses Qgiv for taking donations and has some HTML5 data-attributes like:

 <div class="qgiv-embed-container visible-lg-block" > data-qgiv-embed="true" data-embed-id="1" data-embed="https://secure.qgiv.com/" ></div>

where the payment information (card details) is collected.

There is no SSL/TLS for www.mysite.com and it is relying on Qgiv for collecting payment information.

  1. Is such a site where I can enter payment information to donate secure? I know Qgiv has a secure certificate, but have not donated in the past to a site not using SSL which uses data-attributes to embed information from Qgiv. The organization used to use Paypal but now has switched to Qgiv.

  2. The organization running the site is open to feedback from donors, but they need to be told clearly why their current set-up may not be compliant with PCI standards.

techraf
  • 9,141
  • 11
  • 44
  • 62
Chris H
  • 23
  • 3

2 Answers2

2

If there is no HTTPS on the pages that redirects to Qgiv, a Man-In-The-Middle could intercept the redirection page and replace the redirect to Qgiv with a redirection to the attacker's site.

The attacker's site might use HTTPS and will capture the card details as the user will be unaware whether the site is the legitimate payment gateway or not.

Of course, the attacker will need to be suitably placed, e.g. in a coffee shop on an insecure wireless network. It is recommended to use HTTPS on the whole site to prevent this, in combination with an HSTS policy.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
1

First of all SSL and TLS are cryptographic protocols designed to provide communications security over a computer network.

For your case:

If the website has no SSL/TLS (I strongly recommend TLS) then all the data sent to that specific website are in plain text.

If the website has no SSL/TLS but the payment form is embedded in that specific website with and that form uses TLS/SSL then: The form is secure but accept data from unsecured websites! This means that if I am on the same network and I perform a MITM attack I can get you data and the only problem is that I add 3 more lines of commands :)

If the website has no SSL/TLS but the payment form is on a secure page (like it opens a new page) the all is fine.

Bonus: If you can frame the website all gods of SSL/TLS are going to sleep and ONLY if you can send an fake links and you can trick peoples into thinking that the website is real.

Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27