How safe is it?

Thanks for Donation,

The Logic is I am not sending card details to Stripe directly rather i am sending a pre created token so the sensitive card details theoretically dont reach stripe server But i need to research more on Stripe_Token::create as that is the one i am using to create token

and then sending it along Stripe_Charge::create to charge cards

best way to determine to turn off Internet and try creating a token if it gets created it means it is being created by stripe libraries

I will update you on this after more tracking

However if there is SSL its always a right choice to recommend it

Thank you for the prompt reply. Don’t mention the donation, good work deserves to be supported!

Please keep everyone informed about your research on the tokens. I suppose what’s bugging me still is the documentation at https://stripe.com/help/security insists that they “use HSTS to ensure browsers interact with Stripe only over HTTPS”. Every single plugin I’ve come across for Stripe, except yours, refuse to work over regular HTTP.

It’s not that I’m doubting your work at all, it’s just that my customers, and anyone who reads my tutorial, will be wondering the same thing. You should therefore have an answer ready. Stripe obviously uses SSL/TLS in the API, and Stripe.js is served only over TLS. I’m therefore assuming your plugin acquires the js using libcurl. So maybe it’s just that by not insisting on HTTPS on the WordPress site, your plugin is breaking convention? It’s up to the user to consider man-in-the-middle attacks as a possibility?

These are all just thoughts off the top of my head, but a Stripe plugin that is secure WITHOUT the need for HTTPS is very much needed, if you can convince everyone that it is just that…. certs are expensive and difficult to implement in many cases, especially on shared hosting platforms.

Here’s a link to the tutorial in which I recommend your plugin. Please keep up the good work and update this thread with your findings ??

I did the test what i found the library of stripe is making API request to end point like https://api.stripe.com/v1/

I believe we should add a line that Its recommended to use SSL rather because that article might be misleading and we cant give wrong information to users

I belive you might have to change couple of lines in article because its written in their official documentation that

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. You must authenticate for all requests.
does it mean Sending over to stripe API endpoint on https://api.stripe.com/v1/ and not https://api.stripe.com/v1/

Instead of headscratching i reached #Stripe on IRC here is what experts from stripe say

Q-I believe the payment process can continue without https on shopping site But Data will be at risk right

A-it will technically work, but if stripe reviewed the site we would tell them to use https
pci compliance would require SSL on the merchant site for payment pages
at least all pages that have stripe involved at all should be https basically

if you’re looking for language to put in your plugin description, i would definitely go with “you should use https everywhere”
——————————————————–

based on above recommendation i am changing technical language on plugin description so you need to on blog post i believe

Again i had more conversations with them this is what they said

as long as the url is https
you’re good
seems like kind of a pain though. much easier to just get a cert of your own for like $9

api calls always go to api.stripe.com over https so no worries there (no need for the plugin user to have a cert for that), but the payment pages (stripe checkout or stripe.js) must be over ssl. who’s ssl certificate doesn’t matter
just as long as its’ valid
but again, i have to say, it’s definitely best to just have https://yourdomain.com be the default everywhere these days

like markin said there’s potential for man in the middle attacks where the non-https page can be hijacked to do something different than direct to cloudflare
so the whole site should just be https to be sure

@nazrulhassanmca, thank you very much for all the homework you have done. So basically is https is recommended, but unlike other plugins, your does not enforce this ie. it still works on localhost and domains with no cert applied yet. This is a great hing for developers, as being able to test on localhost is something we often need, so please leave it this way.

I concur that the WORDING of the plugin description should say “Does not need https, but https is HIGHLY recommended” or something like that.

And as you say, most sites with any kind of login should be https these days anyway.

My article already made the need for a proper cert quite clear, but I’ll modify it slightly to make sure. Thanks again for all your research.

Thank you as well for pointing it out

Also on your article you have discussed about Payment Subscription which is currently unavailable on the This Plug in but i am working on it it will be available in coming months.

Thank You
Nazrul

PCI Compliance requires encryption. The plugin may allow it, but your readers should know they will not be in compliance if they don’t use HTTPS. They can be fined or have their accounts revoked. Besides, their customers will be turned-off by lack of HTTPS. Cheers!

Also, at the end of the article you say “Later versions of this Stripe plugin promise to allow refunds from inside WooCommerce.”

The current version supports refunds from inside WooCommerce. I have tested it.

yes in description page i have This plugin Support refunds in woocommerce interface. On full refund order state changes automatically to refunded(WooCommerce Feature).

But does not support Subscription or Preorder its still in works requires lot of testing and lots of condition checking