Removing support for TLS 1.0 and TLS 1.1


For security reasons, it is best practice to disable TLS 1.0 and TLS 1.1, but before you do this you may need to weigh up the risks to traffic from old browsers.

After disabling TLS 1.0 and TLS 1.1 any visitors using old browsers won’t be able to access your site.  If you are accepting credit card payments through your website then your customers security is more important but if you have a public information site then this may not be the case.

Don’t I always want the best security?

Please don’t get us wrong. We are NOT advocating blindly reducing security. This post is very much a response to customers that come to us wanting changes that will break their sites in order to get a perfect score or tick a compliance box. We can usually come up with a best of both worlds once we show the exact implications of the change.

What’s the fuss about?

GlobalSign’s What’s Behind the Change? paragraph sums this up nicely:

Various vulnerabilities over the past few years (e.g., BEAST, POODLE, DROWN…we love a good acronym, don’t we?) have had industry experts recommending disabling all versions of SSL and TLS 1.0 for a while now. PCI Compliance was another driving factor. On June 30, 2018, the PCI Data Security Standard (DSS) required that all websites needed to be on TLS 1.1 or higher in order to comply.

The RFC 7525 from 2015 stipulates that implementations should not use TLS 1.0 or TLS 1.1:

   o  Implementations SHOULD NOT negotiate TLS version 1.0 [RFC2246];
      the only exception is when no higher version is available in the
      Rationale: TLS 1.0 (published in 1999) does not support many
      modern, strong cipher suites.  In addition, TLS 1.0 lacks a per-
      record Initialization Vector (IV) for CBC-based cipher suites and
      does not warn against common padding errors.
   o  Implementations SHOULD NOT negotiate TLS version 1.1 [RFC4346];
      the only exception is when no higher version is available in the
      Rationale: TLS 1.1 (published in 2006) is a security improvement
      over TLS 1.0 but still does not support certain stronger cipher

Qualys SSL Labs have reduced their grading for servers which support TLS 1.0 or TLS 1.1

Assessing the risk

Who won’t be able to access my website if I disable TLS 1.0 or TLS 1.1? Generally speaking browsers before 2013 will have trouble.  Most popular clients affected are old Android phones and old versions of Windows with Internet Explorer 10.  For the exact Android versions and other affected clients this is a nice breakdown.  As you’d expect the number of visitors with these old clients will vary according to your user base.  It’s best you check your site’s analytics to inform your decision.

Again, you can take into account how important encryption is for your website.  For example, at the time of writing it’s interesting to note that has removed support for TLS 1.0 & 1.1 whilst has not.


So what does this mean?  Lets give some examples…

If security is important to you; perhaps you have an e-commerce site taking payments or you are a IT consultancy like ourselves where people wish to share private information. You must disable old SSL/TLS protocols so that the only way people can communicate with your site is as secure as possible.

If accessibility is important to you; perhaps you are trying to share public information, be it a marketing or public resources site. It maybe worth supporting old protocols to allow your message to be shared as wide as possible.

Remember; it maybe typically called a sales “funnel” but traffic doesn’t have to end up in just one place. Users not supporting the right levels of security can be redirected to alternative pages where they can be contacted in other ways.  Why lose a sale when you don’t have to!


We’ve intentionally painted with broad strokes in this blog post.  We’re happy to give specific advice if you contact us and feel free to leave a comment 🙂

AWS Logo

Amazon Linux 1 goes EOL 30 June 2020

On the 30th June 2020, Amazon Linux 1 goes End of Life (EOL). We recommend you upgrade to Amazon Linux 2.

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

Leaving old Amazon Linux 1 systems past June 2020 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Changes in AWS Linux 2:

  • Apache / HTTPD 2.2.34 -> 2.4.41
  • PHP 5.3 -> PHP 5.4
  • MySQL 5.5 -> MariaDB 5.5
  • SystemVinit -> systemd

As well as new features like:

  • Long term software OS and support until 2023
  • Access to the latest software like PHP 7.2 via the amazon-linux-extras tool.

Not sure where to start? Contact us to help with your migration.

Magento Logo

Magento 1.x EOL June 2020

Magento v1 (all versions up to and including v1.9.4.3) will stop receiving software security updates after June 2020. Don’t leave it too late to migrate if you haven’t already.

This affects both editions of Magento…

  • Open Source (formerly “Community Edition”)
  • Commerce (formerly “Enterprise Edition”)

We recommend you upgrade to the latest version of Magento 2, currently version 2.3.3.

v2 was released in November 2015 and has proven itself to be a huge upgrade on v1. It has improved performance, improved page caching, inbuilt rich snippets for structured data, enterprise-grade scalability, a new file structure with easier customization, CSS Preprocessing and a much more structured code base.

Magento have a number of Migration Tools available to assist you with moving from v1 to v2.

And of course, if you need an help with your migration please do feel free to contact us to discuss your requirements.

Toy Story Jessie running in front of a large green arrow

Debian 8 Jessie EOL 30th June 2020

On the 30th June 2020, Debian 8 “Jessie” goes End of Life (EOL). We recommend you upgrade to Debian 10 “Buster” (skipping Debian 9 if possible).

Debian 8 was one of a few OS’s that supported PHP 5, even after official support by the PHP developers ended in 2018. Debian 10 supports PHP 7.3, which may require  some rewriting of code for your website or application, so it best to start planning your upgrade now!

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.  Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

Leaving old Debian 8 systems past June 2020 leaves you at risk to:

  • Security vulnerabilities of the out of date system.
  • Making your entire network more vulnerable.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability.

Debian End of life dates:

  • Debian 9 “Stretch”: June 2022.
  • Debian 10: “Buster”:  No date given as yet –  based on previous releases our best guess is 2024.

Increased Speed:

By moving from Debian 8 to Debian 10 you should notice a speed increase due to the newer software.

  • Apache 2.4.10 -> Apache 2.4.38
  • PHP 5.x -> PHP 7.3
  • MySQL 5.6 / 5.7 -> MariaDB 10.3

Not sure where to start? Contact us to help with your migration.


Feature image by Loren Javier licensed by CC by 2.0

Cyber Security

A small business cyber security plan

October is National Cyber Security Awareness Month (NCSAM).  #BeCyberSmart #CyberAware

Security is everyone’s responsibility, so whether you’re a small business, medium enterprise, SaaS provider or web agency, grab a cuppa and learn some of the ways, we at Dogsbody, recommend improving your security.

You are 9 times more likely to be a victim of fraud than burglary.

With 15 years of experience behind us we feel qualified to produce our very own small business cyber security plan.

A small business cyber security plan

Security (cyber or otherwise) all boils down to risk.

The only way to keep a system 100% safe is for it to be in a sealed room, inaccessible to people, to the internet or the outside world and even then, someone could almost certainly gain access to the room if they really wanted too.

Security isn’t just about protecting from the hacks we are aware of, it’s also about attempting to protect users from the threats which haven’t yet been discovered or made widely available.

Implementing preventative or early detection systems with the right security practices for your people, processes and IT systems should mean you become more tuned to spotting attacks or hacks, giving you a better chance to protect yourself and your business.

“100% secure is just not possible”

Technology is a constantly moving beast. So are the methods used to try to gain unauthorised access to your systems.

Your staff may be reasonably savvy about emails which impersonate companies, however as an example of the speed of technology, the Dogsbody team has seen AI now being used to fake people’s voices and scam people out of £1000’s.

Scammers are coming up with new methods to extract cash or assets from companies as fast as security experts are mitigating them.

In this article, we look at each of the three principle areas of risk for your business – People, Systems and Processes; as well as some of the things you can implement immediately to reduce your exposure.

Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. –

Risk #1- people

Image of technician working at three monitors - Educating people is a huge part of any small business cyber security plan

Humans are fallible (likely to make errors or fail). Nobody’s perfect, after all.

However there are some actions for which there are no excuses … weak passwords is one of them! Any small business cyber security plan has to put passwords at the centre of the plan.

The good news is that there are so many ways to make strong unique passwords for every single login. The video below contains a useful method for creating incredibly strong, yet memorable passwords:

Find out how easy passwords are to crack. Get scared.

Password reuse and poor passwords are unacceptable and easily preventable. We have talked before about using a password manager and 2 Factor Authentication (2FA) where available. Get to understand these tools (or talk to us!) and figure out how best to include them within your business.

Education is key

Having clear processes and good security training is another way to help make sure everyone is on the same page.  Free cyber security training courses, videos and online resources are readily available from reputable sources:

Social Media – your online life

Social media allows us to find out basic details about people and companies within seconds. Using a combination of Google and Linkedin allows everyone to know who you work for.

Whilst this is great for networking, it does mean that you and your team need to be careful about what you share and and who you share it with.

If you are reading this article and rolling your eyes and think this security advice just doesn’t matter, spend three minutes watching this (brilliant) video and you might just change your mind:

Frightening huh? And hopefully thought provoking too.

Have processes in place to check when dealing with all contacts via email and phone. Are you speaking to who you think it is?.

It is also sensible to avoid giving out personal data over the phone or via insecure methods such as Slack and email.

Risk #2 – systems, servers & devices

Image of two people breaking into a safe - Small business cyber security plan - Lock it down

There is something or someone trying to access your data every minute of every day.

Implementing preventative and early detection systems into your workflow may help mitigate a situation before it starts.

Devices, including servers, work laptops, home laptops, mobile phones, routers, printers, internet of things (IOT) devices (including that wifi connect light bulb) can all be used against you and your business.

Dogsbody’s #1 tip: keep your devices up-to-date

Updates for all of these devices are released regularly to address bugs, code improvements and security vulnerabilities.

If you’re not updating (patching) regularly, then you are putting yourself at a higher risk of being exploited by a known vulnerability.

Don’t be that person or company.

End of life

Be aware of software end of life (EOL). For example mobile phone hardware usually outlives its supported software meaning it’s open to new security vulnerabilities.

We often talk about ‘end of life’ software in our newsletter. Last month, we confirmed Python 2.7 and PHP 7.1 are going to be end of life soon. Once software is no longer supported, there are no guarantees about the security holes this software could lead too.

Restrict access

Only give access to the areas people need to do their job whether that is physical (rooms, offices), Documents (read only and write only) or devices/servers, it will make it easier to spot an intruder. Separate users means you can see who made a change giving you an audit trail should anything go amiss. Remember to remove old users.

Proactive monitoring

Monitor everything: cpu, memory, disk io, disk space, ports etc. We monitor all of these metrics (and more) on behalf of 100’s of customers.

Use our free tool to monitor some of your external resources too – StatusPile allows you to build a status page of status pages.

A spike or alert across any of these metrics could mean a server is being attacked. If you respond quickly, attackers can be blocked before they cause too much damage.

Back up

We’ve written about backup strategies before. This is such a fundamental part of business.

Don’t be that company that can’t recover from an event like this:

Image of burnt out server rack - Off site backups are essential

If you lost everything where do you go?

Off site backups – simply have them, know where they are and keep them up to date.

Make sure you check them regularly. Is everything being backed up correctly? Are they actually working when you perform a restore? Is the retention policy set correctly?

It’s not good enough to set and forget – new infrastructure gets added, access codes change. Be diligent and don’t lose your business when something goes wrong.

Standardised builds

Have (documented) standard builds for servers, workstations, laptops and other network infrastructure.

Insecure configurations can allow malicious users to obtain unauthorised access, so it is important to ensure the secure configuration of all systems is set up and maintained.

If you need help, talk to us – we do this every day!

Know what you don’t know

That may sound like a crazy heading – but we really mean it. If you don’t test your infrastructure regularly, you don’t know what’s really going on. Involve a third party, get an expert to ethically hack into your systems. This process is of course known as penetration testing.

Penetration tests take many different forms. Testing once a year is a step in the right direction, however infrastructure changes regularly and rightly so, patches must be applied and users added and removed, its a constantly moving beast, so it makes sense to have regular penetration tests. Whilst they give you peace of mind – they will also give your customers peace of mind too.

Protect your email

Make it harder for impersonators to send spam which looks like it comes from your business by setting up your email correctly.

Public wifi is a notorious place for hackers to lurk

Know the risks of public wifi.

Usually it’s free and often, it’s not secure. Avoid visiting sensitive sites such as banks, accounts packages, work ticketing systems when connected.

Company VPN’s can be used if you need to do this regularly. Personal VPN applications are good too for personal browsing.

Risk #3 – processes

Image of white lever arch files

Processes have been intertwined within the previous two sections. We’ve discussed standardised builds, communications. device and social media policies.

It’s now time to mop up some of the areas we’ve not yet mentioned.

How would you respond to an emergency if your digital channels were down?

If and when something does go wrong have you considered how you would communicate with your customers?

Host your status page on a completely separate hosting provider to all your other business activities and remember, to make the password accessible for when you are offline.

Status pages are for facts. Do not speculate or discuss issues that have not been confirmed.

Image of Dogsbody Technology Status Page

Crisis communications is a consideration for all businesses.


You rarely hear people talking about the joys of documentation, however it’s a necessary evil of business and absolutely could be your saviour one day.

Here at Dogsbody, we do it as a matter of course. Without shared documentation, IT systems are left exposed. employees leave, employees get sick. It’s essential others can understand how your IT infrastructure works.

Server build documentation is the recipe for your servers. If a server was down and the only way to recover it was to rebuild it – would you know how to? Is it clear how it was set up … who had access … and how the operating system was configured?

Having a build guide document in place means anyone can pick it up and get it back online quickly.

Subscribe for service updates

Subscribe to your providers service updates, notifications, emails and/or RSS feeds, monitor Status pages, hang out on tech forums – as a Linux managed server provider, our team are always reading blogs, security updates and notices – its just part of the day job.

The Government National Cyber security centre release weekly threat reports as well as advice on all security topics.


That wraps up our small business cyber security plan. We hope it makes you think about how your business approaches online security.

If we can help answer any questions, please don’t hesitate to get in touch.

Python 2 will go end of life on 01 Jan 2020

Quick Public Safety Announcement, Python 2.7 goes end of life 01 Jan 2020.  This is the end of the road for Python 2.x – there won’t be a version 2.8.

This means any Python code that’s still on 2.x needs updating to Python 3.  Any code that isn’t moved over won’t receive security updates so will inevitably become insecure.

Identify your code

If you’ve got a lot of code it’s worth taking the time to check what’s where and which version of Python it’s using.

Python 3 was released at the end of 2008.  Adoption has been slow, a factor has been that all of your dependencies need to support Python 3 before you can.  Now that we’re over 10 years down the road this is much less likely to be an issue.

You can start off by checking code that has been written more recently.  Hopefully this will have been written for Python 3.  A survey by JetBrains shows that between 2017 and 2018 the number of developers that mostly used Python 2 fell from 25% to just 16%.  It’s also interesting to note the divide between use cases.  Data science having better adoption than both web and dev-ops.

Don’t forget old code

Unfortunately the numbers above are for code that developers are writing now.  We’re also concerned with code that was written many years ago and hasn’t recently had any major changes.  Looking at the number of packages downloaded instead of what developers are mostly using gives a different picture.  The numbers are closer to 50/50 with the trend between data science and dev-ops still clear.  TensorFlow is most often downloaded for Python 3 whilst botocore is heavily Python 2.  Boto is heavily used in API access to cloud providers such as AWS.

If all of your recent code is Python 3 it’s worth having a good dig around for places old code might be hiding.

What are the steps to update to Python 3?

  • The first step to update code is to make sure any packages you’re using support Python 3.  A tool such as caniusepython3 should show you where the issues are.
  • After that depending on the complexity of your code you can update it by hand or use a tool such as Futurize to help with the conversion .

A key part of smoothly updating is to have a good testing process so you can quickly find and fix the bits that unexpectedly break.  See the porting guide for more info.


Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

PHP 7.2

PHP 7.1 will go end of life on 1 Dec 2019

PHP 7.1 goes end of life (EOL) on the 1st December 2019 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.2 supported until 30 November 2020
  • 7.3 supported until 6 December 2021

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability.

If you love a pie chart, Jordi Boggiano has provided this great overview of the PHP versions out there.

PHP VersionsUpgrade from PHP 7.1 before the 1st December 2019.

Want a hand? Get in touch!


Password Managers: What, How & Why?

So its 2019 and the new years resolution are on hold; Veganuary is over and Marie Kondo is helping us declutter our servers lifes. We expect a few new website and apps have caught your attention and you’ve created an account using a unique strong 12+ character password. Right?

Unfortunately data breaches are as prevalent now as they ever were. If you are still trying to memorise all your passwords, or writing them down, or the big no no, reusing them then make 2019 the year you improve your relationship with passwords.

Today we are talking about Password Managers as a method of creating and storing your passwords.

What is a password manager?

A password manager is an app, device, or cloud service that stores your passwords in an encrypted vault that can only be unlocked with a single master password. This means you only have to remember one ultra secure password not 100’s.

How does a Password manager work?

The video below (from 2017) clearly explains why you should stop memorising your passwords and why a password manager maybe a great first step to managing and securing them.

Two keys points:

  • The password manager creates the random passwords for you – A password manager isn’t a place to store your own made up passwords, its a place to create random computer generated ones. I don’t even know my own passwords, I just know one master password.
  • A password manager can store other information too – for example – the security questions some websites ask you for, mothers maiden name, first pet, first school, where you meet your husband/wife, provided these aren’t being used to prove your identity, can be completely fictitious and different for every account you set up.

Adding a further level of security

Our other blog on Multi -Factor Authentication explains about a further level of security you can use if offered.

A poll in 2018 saw more than three quarters of 2,000 UK adults do not see the point of ‘unnecessary’, ‘overly complicated’ internet security measures, ironically 46% had been victims of banking fraud. I’ll let you draw your own conclusion!

Don’t let this be you, even if a password manager doesn’t appeal at least use unique strong 12+ character passwords. With a password manager you can have easily have a 64 character password and it will 4 untrigintillion years to crack.  If its easy to create and “remember” why wouldn’t you.

And finally why 12+ characters?

A 12 character unique random password would take a computer about 3 thousand years to crack, however this true story from 2017 proves to us that it could take a whole lot longer. Always be aware that a 3 thousand year password may well be a 300 year password in 10 years time so the more characters the better.



How will the Ubuntu 14.04 EOL affect me?

On April 2019, Ubuntu 14.04 reaches end of life (EOL).
We recommend that you update to Ubuntu 18.04.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old Ubuntu 14.04 systems past April 2019 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Ubuntu End of life dates:

Ubuntu LTS (long term support) operating systems come with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance updates including security updates.

  • Ubuntu 14.04 : April 2019
  • Ubuntu 16.04 : April 2021
  • Ubuntu 18.04 : April 2023


Just picking up your files and moving them from Ubuntu 14.04 to Ubuntu 18.04 will speed up your site due to the new software.

  • Apache 2.4.7 -> Apache 2.4.29
  • NGINX 1.4.6 -> NGINX 1.14.0
  • MySQL 5.5 -> MySQL 5.7
  • PHP 5.5 -> PHP 7.2

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!


Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

PHP 5.6 will go end of life on 31 Dec 2018

Quick Public Safety Announcement, PHP 5.6 goes end of life (EOL) on the 31 December 2018.  This means that known security flaws will no longer be being fixed so any sites you have running on it will become vulnerable, hence it is important you update them to a newer version.

We recommend updating to the latest stable version (at the time of writing this is PHP 7.2).  As this is a major upgrade you will want to test your site on the new version and may need to get your developers to update some code before moving over.

If you’re unsure if you are affected or want a hand upgrading? Get in touch!

Everyone loves a good graph and Jordi Boggiano has provided this great overview of the PHP versions out there in the wild!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.