Tobacco Reviews Site Has Been Hacked

Log in

SmokingPipes.com Updates

Watch for Updates Twice a Week

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

Status
Not open for further replies.

olkofri

Lifer
Sep 9, 2017
8,033
14,644
The Arm of Orion
If you don't want to have encrypted traffic and a. verifiable site, you would be better off not having SSL to begin with, seeing as you don't manage accounts or anything. Just leave it as a standard http site -- then you wouldn't have that problem to begin with.
I think the SSL comes by default with cPanel. For some reason, though, that certificate I get from them doesn't get applied to my site proper. Don't ask me why. I'm more likely to ask you why. I'm no unix guru.
 

olkofri

Lifer
Sep 9, 2017
8,033
14,644
The Arm of Orion
If you don't want to have encrypted traffic and a. verifiable site, you would be better off not having SSL to begin with, seeing as you don't manage accounts or anything. Just leave it as a standard http site -- then you wouldn't have that problem to begin with.
I'm also wondering: isn't SSL required for the E-mail portion of the domain/site/what-have-you?
 
  • Like
Reactions: --dante--

--dante--

Lifer
Jun 11, 2020
1,062
7,165
Pittsburgh, PA USA
I'll reiterate here on this whole SSL thing, because it's nothing or something, depending on the site:
SSL certificates do two things:

1) Verify the site you are visiting is indeed the site you think you are visiting (to put it simply the key is hashed
between your browser, the site, and the certificate authority).

Your browser has a database of trusted certificate authorities, and can verify them...web server(s) have a public key that's part of the certificate authorities key to verify your specific web server(s) are the ones that are allowed to host that certificate. That's critical to avoid visiting sites that have hijacked other sites addresses.

2) Encrypt your network traffic between you and the site. This is unimportant if no commerce, and no usernames and passwords are used. Critical otherwise.

If you are okay with 1 and 2 (which is fine for a forum or some-such thing, and you don't use usernames and passwords), then do move on to the site. If it's a site you trust, but use a password two, mind item 2.

It's fine to peruse the reviews on tobaccoreviews.com with the SSL temporarily expired, but be aware, there is talent out there that specifically looks for such oversights, and may try to use that window to sniff usernames and passwords, at minimum (speaking in general).
 
Last edited:

--dante--

Lifer
Jun 11, 2020
1,062
7,165
Pittsburgh, PA USA
I'll reiterate here on this whole SSL thing, because it's nothing or something, depending on the site:
SSL certificates do two things:

1) Verify the site you are visiting is indeed the site you think you are visiting (to put it simply the key is hashed
between your browser, the site, and the certificate authority).

Your browser has a database of trusted certificate authorities, and can verify them...web server(s) have a public key that's part of the certificate authorities key to verify your specific web server(s) are the ones that are allowed to host that certificate. That's critical to avoid visiting sites that have hijacked other sites addresses.

2) Encrypt your network traffic between you and the site. This is unimportant if no commerce, and no usernames and passwords are used. Critical otherwise.

If you are okay with 1 and 2 (which is fine for a forum or some-such thing, and you don't use usernames and passwords), then do move on to the site. If it's a site you trust, but if you use a login, mind item 2.

It's fine to peruse the reviews on tobaccoreviews.com with the SSL temporarily expired, but be aware, there is talent out there that specifically looks for such oversights, and may try to use that window to sniff usernames and passwords, at minimum (speaking in general).

The site itself need not be hacked whatsoever.
 
Care to share the tip?

I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
 
  • Like
Reactions: CoffeeAndBourbon

--dante--

Lifer
Jun 11, 2020
1,062
7,165
Pittsburgh, PA USA
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
Yep that's fine really -- as I said, if you aren't concerned with verifying its the real site (like your bank or something), and you don't pass on username and password to access it, and/or do commerce with it, I wouldn't worry about it. Hell this site is unsecured, for that matter (no ssl cert).
 
  • Like
Reactions: sandollars

JimInks

Sultan of Smoke
Aug 31, 2012
60,846
553,758
This happened a few years back when SpecComm owned. Kretek has to renew their certificate.
 
  • Like
Reactions: ram74

--dante--

Lifer
Jun 11, 2020
1,062
7,165
Pittsburgh, PA USA
This happened a few years back when SpecComm owned. Kretek has to renew their certificate.
Yep they (the certificates) don't last all that long, and many sites without a larger infrastructure handling the certs simply forget until users notice it. It's not a big deal as long as it's not a site you have to trust, or one you transmit info like usernames and password to. This site is unsecured, so I simply use a password I would never use for anything requiring actual security like paypal, amazon, my bank, etc.
 

olkofri

Lifer
Sep 9, 2017
8,033
14,644
The Arm of Orion
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
Nope, it's not there. I looked, because that's what I always do. Firefox has it. Chrome doesn't: man, that's WHY I'M SCREAMING!!
 

olkofri

Lifer
Sep 9, 2017
8,033
14,644
The Arm of Orion
UPDATE: I found it, but it's not under Advanced. You have to click on the site info button to the left of the URL field (which will say "Not Secure" in red) and set up permissions for the site. At the very bottom there is an option for "Unsecure content", which you can set to Allow (it's set to Blocked by default).
 
  • Like
Reactions: sandollars

olkofri

Lifer
Sep 9, 2017
8,033
14,644
The Arm of Orion
Yep they (the certificates) don't last all that long, and many sites without a larger infrastructure handling the certs simply forget until users notice it. It's not a big deal as long as it's not a site you have to trust, or one you transmit info like usernames and password to. This site is unsecured, so I simply use a password I would never use for anything requiring actual security like paypal, amazon, my bank, etc.
Yup, and some of the 'free' certificates expire sooner than the paid-for ones. For instance, Let's Encrypt's expire every 90 days.
 
  • Like
Reactions: sandollars

--dante--

Lifer
Jun 11, 2020
1,062
7,165
Pittsburgh, PA USA
UPDATE: I found it, but it's not under Advanced. You have to click on the site info button to the left of the URL field (which will say "Not Secure" in red) and set up permissions for the site. At the very bottom there is an option for "Unsecure content", which you can set to Allow (it's set to Blocked by default).
Yeah every browser has it's own way of doing it (bypassing security). If a site (like this one) doesn't use SSL in the first place, then you'd never hear about it. Tobaccoreviews uses an SSL certificate, so when there's a problem with it, your browser will squawk about it (as it should) since it's registered as a secure site, and is failing one of the parameters.
 
  • Like
Reactions: sandollars
Status
Not open for further replies.