Good evening team!
This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted.
And every sub directory under inside.gratipay.com.
Since the certificate is only valid through *.herokuapp.com the domain is sending a warning message about MITM attacks. This warning is valid because all data is not being HTTPS encrypted.
The warning is also pretty scary to anyone browsing inside.gratipay.com for information on how to contribute.
Add a valid certificate on inside.gratipay.com.
Stay classy, you guys rock. Nerd emoji.