Sidebar

Tobacco Reviews Site Has Been Hacked

Log in

Forgot your password?

SmokingPipes.com Updates

Watch for Updates Twice a Week

PipesMagazine Approved Sponsor

Site Sponsors

Al Pascia
Blue Room Briars
Cigar World
Danish Pipe Shop
LePipe.it
MBSD Pipes
Missouri Meerschaum
Pipes2Smoke.com
PipeStud.com
SmokingPipes.com
Tabaccheria Corti
TinBids.com

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

Status
Not open for further replies.
olkofri

olkofri

Lifer
Sep 9, 2017
8,166
14,978
The Arm of Orion
--dante-- said:
If you don't want to have encrypted traffic and a. verifiable site, you would be better off not having SSL to begin with, seeing as you don't manage accounts or anything. Just leave it as a standard http site -- then you wouldn't have that problem to begin with.
Click to expand...
I think the SSL comes by default with cPanel. For some reason, though, that certificate I get from them doesn't get applied to my site proper. Don't ask me why. I'm more likely to ask you why. I'm no unix guru.
 

olkofri

olkofri

Lifer
Sep 9, 2017
8,166
14,978
The Arm of Orion
--dante-- said:
If you don't want to have encrypted traffic and a. verifiable site, you would be better off not having SSL to begin with, seeing as you don't manage accounts or anything. Just leave it as a standard http site -- then you wouldn't have that problem to begin with.
Click to expand...
I'm also wondering: isn't SSL required for the E-mail portion of the domain/site/what-have-you?
 
  • Like
Reactions: --dante--
--dante--

--dante--

Lifer
Jun 11, 2020
1,099
7,751
Pittsburgh, PA USA
I'll reiterate here on this whole SSL thing, because it's nothing or something, depending on the site:
SSL certificates do two things:

1) Verify the site you are visiting is indeed the site you think you are visiting (to put it simply the key is hashed
between your browser, the site, and the certificate authority).

Your browser has a database of trusted certificate authorities, and can verify them...web server(s) have a public key that's part of the certificate authorities key to verify your specific web server(s) are the ones that are allowed to host that certificate. That's critical to avoid visiting sites that have hijacked other sites addresses.

2) Encrypt your network traffic between you and the site. This is unimportant if no commerce, and no usernames and passwords are used. Critical otherwise.

If you are okay with 1 and 2 (which is fine for a forum or some-such thing, and you don't use usernames and passwords), then do move on to the site. If it's a site you trust, but use a password two, mind item 2.

It's fine to peruse the reviews on tobaccoreviews.com with the SSL temporarily expired, but be aware, there is talent out there that specifically looks for such oversights, and may try to use that window to sniff usernames and passwords, at minimum (speaking in general).
 
Last edited:
  • Like
Reactions: CoffeeAndBourbon and sandollars
--dante--

--dante--

Lifer
Jun 11, 2020
1,099
7,751
Pittsburgh, PA USA
--dante-- said:
I'll reiterate here on this whole SSL thing, because it's nothing or something, depending on the site:
SSL certificates do two things:

1) Verify the site you are visiting is indeed the site you think you are visiting (to put it simply the key is hashed
between your browser, the site, and the certificate authority).

Your browser has a database of trusted certificate authorities, and can verify them...web server(s) have a public key that's part of the certificate authorities key to verify your specific web server(s) are the ones that are allowed to host that certificate. That's critical to avoid visiting sites that have hijacked other sites addresses.

2) Encrypt your network traffic between you and the site. This is unimportant if no commerce, and no usernames and passwords are used. Critical otherwise.

If you are okay with 1 and 2 (which is fine for a forum or some-such thing, and you don't use usernames and passwords), then do move on to the site. If it's a site you trust, but if you use a login, mind item 2.

It's fine to peruse the reviews on tobaccoreviews.com with the SSL temporarily expired, but be aware, there is talent out there that specifically looks for such oversights, and may try to use that window to sniff usernames and passwords, at minimum (speaking in general).

The site itself need not be hacked whatsoever.
Click to expand...
 
sandollars

sandollars

Lifer
Jul 28, 2019
2,605
7,950
St. George, Utah-Winter, Fishlake, Utah-Summer
olkofri said:
Care to share the tip?
Click to expand...

I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
 
  • Like
Reactions: CoffeeAndBourbon
--dante--

--dante--

Lifer
Jun 11, 2020
1,099
7,751
Pittsburgh, PA USA
sandollars said:
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
Click to expand...
sandollars said:
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
Click to expand...
Yep that's fine really -- as I said, if you aren't concerned with verifying its the real site (like your bank or something), and you don't pass on username and password to access it, and/or do commerce with it, I wouldn't worry about it. Hell this site is unsecured, for that matter (no ssl cert).
 
  • Like
Reactions: sandollars
JimInks

JimInks

Sultan of Smoke
Aug 31, 2012
64,460
645,657
This happened a few years back when SpecComm owned. Kretek has to renew their certificate.
 
  • Like
Reactions: ram74
--dante--

--dante--

Lifer
Jun 11, 2020
1,099
7,751
Pittsburgh, PA USA
jiminks said:
This happened a few years back when SpecComm owned. Kretek has to renew their certificate.
Click to expand...
Yep they (the certificates) don't last all that long, and many sites without a larger infrastructure handling the certs simply forget until users notice it. It's not a big deal as long as it's not a site you have to trust, or one you transmit info like usernames and password to. This site is unsecured, so I simply use a password I would never use for anything requiring actual security like paypal, amazon, my bank, etc.
 
  • Like
Reactions: CoffeeAndBourbon and JimInks
olkofri

olkofri

Lifer
Sep 9, 2017
8,166
14,978
The Arm of Orion
sandollars said:
I am NOT condoning it because if there really IS trouble, you might end up in the fray but one could enter through the "Advanced" tab and then at the bottom, there will be a clickable that says "Proceed to the website (UNSAFE)".

That will get you there...... Again not condoning this, but did it myself as I needed to look up a genre of a blend I was putting in my spreadsheet and I am still here. puffy
Click to expand...
Nope, it's not there. I looked, because that's what I always do. Firefox has it. Chrome doesn't: man, that's WHY I'M SCREAMING!!
 
olkofri

olkofri

Lifer
Sep 9, 2017
8,166
14,978
The Arm of Orion
UPDATE: I found it, but it's not under Advanced. You have to click on the site info button to the left of the URL field (which will say "Not Secure" in red) and set up permissions for the site. At the very bottom there is an option for "Unsecure content", which you can set to Allow (it's set to Blocked by default).
 
  • Like
Reactions: sandollars
olkofri

olkofri

Lifer
Sep 9, 2017
8,166
14,978
The Arm of Orion
--dante-- said:
Yep they (the certificates) don't last all that long, and many sites without a larger infrastructure handling the certs simply forget until users notice it. It's not a big deal as long as it's not a site you have to trust, or one you transmit info like usernames and password to. This site is unsecured, so I simply use a password I would never use for anything requiring actual security like paypal, amazon, my bank, etc.
Click to expand...
Yup, and some of the 'free' certificates expire sooner than the paid-for ones. For instance, Let's Encrypt's expire every 90 days.
 
  • Like
Reactions: sandollars
--dante--

--dante--

Lifer
Jun 11, 2020
1,099
7,751
Pittsburgh, PA USA
olkofri said:
UPDATE: I found it, but it's not under Advanced. You have to click on the site info button to the left of the URL field (which will say "Not Secure" in red) and set up permissions for the site. At the very bottom there is an option for "Unsecure content", which you can set to Allow (it's set to Blocked by default).
Click to expand...
Yeah every browser has it's own way of doing it (bypassing security). If a site (like this one) doesn't use SSL in the first place, then you'd never hear about it. Tobaccoreviews uses an SSL certificate, so when there's a problem with it, your browser will squawk about it (as it should) since it's registered as a secure site, and is failing one of the parameters.
 
  • Like
Reactions: sandollars
Status
Not open for further replies.
Top Bottom