FR: from within an unactivated Scapple for MacOS, the method to buy Scapple from its own menu presents something akin to a simple webpage (probably just an HTML window without any surrounding browser). That, in turn, punches through to Paddle.com, which then punches through to PayPal, which then asks for my PayPal username, followed (next screen) by an ill-defined box requesting my PayPal password. Ummm… no.
Nowhere is the opportunity presented to verify the PayPal certificate. Nor is it clear exactly what I’m using, or to whom I’ve opened up this session.
I backed out. I started over from scratch, purchasing Scapple directly from the L&L website, where I could verify that I was really talking to PayPal. I’m fully licensed now. Love the product, BTW.
I can’t recreate this, because I just activated Scapple. So I’m no longer presented with quite the same menu options. I hope that’s a sufficiently clear description, though. Maybe the thing to do is simply to punch-out into an actual browser.
Thanks for the report. I’ve checked it out, and it looks like the the web store component is using the recommended method for interfacing with PayPal. A new web window is opened exclusively for PayPal’s use, which then only sends back a success/failure token to the original window, rather than any of the private information that might be entered into that window. I’m not sure if it is possible to actually do this in a way that provides more information—like piping the request to a browser. The key thing is getting that token back, which might be problematic between entirely separate programs. At least, whenever I see PayPal payments integrated into software like this, this is what I see: a dedicated window set up that operates within umbrella of the host software. Steam payments for example will work this way (at least on PC, I don’t know if it is any different on Mac, though I imagine not since they use a cross-platform toolkit).
But at any rate, you’re right to be cautious, and I don’t blame you for using a browser to complete the transaction. I try not to use the Internet much at all from software unless I have to, just on general principle.
I’ll pass the message along to our vendor though; maybe there is something they can add to this window that can help, like read-only URL bar so you can examine the cert.
