Privacy

Data Privacy Day 2017

This year we bring you an infographic showing how data privacy is good for business. We also encourage you to check out last years post about the business requirements of running a business in the UK.

Feature image by g4ll4is under the CC BY-SA 2.0 license.

HTTP/2

HTTP/2 is a fairly new technology, offering significant improvements over its predecessors, whilst remaining backwards compatible with previous web browsers and services. HTTP/2 is only going to get bigger, and it’s certainly not going away any time soon, so here’s some stuff you should know about it.

Before we get too in depth with the advantages of HTTP/2 and the reasons you should be using it, it’s important we understand what HTTP is in the first place, and how it fits into modern internet use.

HTTP stands for Hyper Text Transfer Protocol, and it is one of the main parts of the modern web as we know it. It is a set of rules for how information should be sent and received between systems. Any text, images and media you see and interact with on a standard web page (including this one) would most likely have been sent to you using HTTP.

The downsides of regular ol’ HTTP

HTTP has been around for a long time. This of course is not inherently bad, but HTTP was designed a long time ago, and things have changed a lot since then. HTTP/1.1, which is the version that a very large majority of the modern web uses, was first standardised in 1997, and saw major development before that date too.

That’s 20 years ago now, and in that time the internet has gone from something connecting only large enterprises and government facilities, into a truly global communications utility used daily by billions of people.

The original HTTP/1.1 spec was never designed with this sense of scale and use in mind, and so it has shortcomings in the modern day, resulting in the need for often time-consuming and complex workarounds.

One of the biggest drawbacks of HTTP/1.1 is the need for new connections on every request. This adds overheads, which are amplified due to the large number of assets used on most modern websites, and amplified even further by the additional overhead of negotiating HTTPS connections when loading assets securely.

What is HTTP/2 and what are the advantages?

HTTP/2 is the newest version of HTTP, and was standardised in mid-2015, taking influence from the earlier SPDY protocol, initially designed by Google. HTTP/2 offers significant improvements over previous versions in the following ways

  • Server push – the web server running your website can push assets to visitors before they request them, speeding up the overall load times of pages
  • Concurrency – all communication can happen via one connection, removing the overhead and complexity of establishing and maintaining multiple connections, which again results in speed improvements
  • Dependency specifications – you can now specify which of the items on your page are most important, and make sure the most important ones are dealt with first. This means the content somebody wants to see can be displayed sooner
  • Header compression – decreases the amount of data to be transferred by compressing the metadata in messages being sent and received, lowering bandwidth usage and once again decreasing load times

All of these advantages, combined with sites and applications making the most of them, can result in significant improvements in page load speeds, particularly on mobile devices, and a much nicer overall experience on the web.

An interesting point on HTTP/2 is that although there is nothing in the RFC that specifies HTTP/2 should only support encrypted connections (using TLS or SSL), some major browsers such as Firefox and Chrome have stated they will not support HTTP/2 over plain-HTTP connections. This means that in a lot of cases, you’ll have to support HTTPS in order to reap the benefits that HTTP/2 provides, but you should really be using HTTPS by now anyway, so this is not too big a deal.

Sound good? We can help!

If HTTP/2 sounds like something you’re interested in, then just get in touch and we’re more than happy to help. We’ve been running HTTP/2 on our website for quite a while now, and we’d love to help you get it running on yours!

How will Ubuntu 12.04 end of life affect me?

On April 2017, Ubuntu 12.04 reaches end of life.
We recommend that you update to Ubuntu 16.04.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old Ubuntu 12.04 systems past April 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Ubuntu End of life dates:

Ubuntu LTS (long term support) operating systems come with with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance updates including security updates.

  • Ubuntu 12.04 : April 2017
  • Ubuntu 14.04 : April 2019
  • Ubuntu 16.04 : April 2021

Faster:

Just picking up your files and moving them from Ubuntu 12.04 to Ubuntu 16.04 will speed up your site due to the new software.

  • Apache 2.2 -> Apache 2.4
  • MySQL 5.5 -> MySQL 5.6
  • PHP 5.3 -> PHP 7.0

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Open-sourcing our Raspberry Pi Displayboard

Our office warboard runs off a simple Raspberry Pi plugged into a wall mounted TV however the code to get this to work reliably has taken a bit of tweaking over the years.

Today we continue our efforts to give back to the open source community by publishing our recipe for a solid, stable displayboard that can be used for anything from digital signage to office displays.

You can find all the code in our pi-display GitHub Repo.

This code…

  • Waits for the TV/display to be turned on before proceeding.
  • Reconfigures the resolution to match the best resolution the TV/display has to offer.
  • Fixes itself and any bad configuration should corruption occur from a bad webpage.
  • Works with the latest SSL technologies (TLS1.2).
  • Supports CEC commands allowing you to control the TV via the HDMI cable.
  • Installs fonts required for correct webpage rendering

Our office warboard is not only locked down to certain IP addresses but also uses the latest SSL protocols and ciphers. The stock chromium on Raspberry Pi wasn’t up to date (v22 when the current version is v51) and didn’t support the latest security protocols.

This repo used to use the epiphany browser instead which was more up to date (but not as stable). Now (28 Sep 2016) the Raspberry Pi team have released PIXEL which includes a much more up to date version of the Chromium browser.

This install also downloads and compiles the latest cec-client that allows you to turn the TV on and off each day via cron.

Let us know if you find this useful and feel free to fork and/or make pull requests :-)

Types of SSL Certificates

The number of businesses that use SSL have increased tremendously over the past few years and the reasons for which SSL is used has also increased, for example:

  • Some businesses need SSL to simply provide confidentiality (i.e. encryption)
  • Some businesses like to use SSL to add more trust or confidence in security and identity (they want you to know that they are a legitimate company and can prove it)

As the reasons companies use for SSL have become wider, three different types of SSL Certificates have been established:

  • Extended Validation (EV) SSL Certificates
  • Organization Validation (OV) SSL Certificates
  • Domain Validation (DV) SSL Certificates

Extended Validation (EV) SSL Certificates are issued only when a Certificate Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA conducts a very THOROUGH vetting (investigation) of the organization. The issuance process of EV Certificates is standardized and is strictly outlined in the EV Guidelines, which was created at the CA/Browser Forum in 2007, specifies the required steps that a CA must do before issuing an EV certificate:

  1. Must verify the legal, physical & operational existence of the entity
  2. Must verify that the identity of the entity matches official records
  3. Must verify that the entity has the exclusive right to use the domain specified in the EV Certificate
  4. Must verify that the entity has properly authorized the issuance of the EV Certificate

EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses.

A second set of guidelines are for the actual CA and it establishes the criteria to which a CA needs to be audited before being allowed to issue an EV Certificate. It is called, the EV Audit Guidelines, and they are always done every year to ensure the integrity of the issuance process.

  • Takes 7-14 days to provision
  • Expect costs to be at least £150+
  • Gives a green bar in the browser

We recommend EV certificates if you are asking for sensitive details such as credit card information on your website.

Organization Validation (OV) SSL Certificates are issued only when a Certificate Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA does some vetting (investigation) of the said organization.  This additional vetted company info is displayed to customers when the Secure Site Seal is clicked on, this gives enhanced visibility to who is behind the site which in turn gives enhanced trust in the site.

  • Takes 1-3 days to provision
  • Expect costs in the range of £40 to £100

Perfect certificate for any businesses website.

Domain Validation (DV) SSL Certificates are issued when the CA checks to make sure that the applicant actually has the right to the specific domain name.  No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV certs can be issued immediately.

  • Instant provisioning
  • Usually around £10. However notably Lets Encrypt provides free certificates

This is perfect for securing every day websites like blogs.

Adding Google Analytics tracking to WordPress via a plugin

Before we start you will need a Google Analytics account.  See our other guide for setting up a Google Analytics account.

There are many Plugins that add Google Analytics to a WordPress site. Some will add Google Analytics reports into your WordPress site admin interface and other will just push your site’s data to Google Analytics meaning you have to view it on the Google Analytics website.

For this post we are installing Google Analytics Dashboard for WP.  As with any Plugin you need to consider security.  Look for Plugin’s that have had lots of downloads and good reviews and also that have been updated within the last 6 months. Plugin are made by anyone with programming skills and like most things people lose interest or run out of time to keep their made plugin secure and updated.  An insecure plugin could be the way hackers get into your website and cause issues.

To install Google Analytics Dashboard for WordPress:

  1. Log into your WordPress site (www.example.co.uk/wp-admin)
  2. On the left hand side go to Plugins and click Add New.
  3. Search Plugins in the right hand corner of the page for ‘Google Analytics Dashboard for WP‘ and click Install Now.Google Analytics Dashboard for WP
  4. On the install page click Activate Plugin – you will now see Google Analytics on your left hand menu
  5. Select Google Analytics – General Settings and click Authorise Plugin
  6. Click the red link (Get Access Code) on this page to generate and get your access code. A new window will pop-up asking you to allow specific data from your Google Analytics account to be used by Google Analytics Dashboard for WP. After agreement, an access code will be provided.
  7. Copy the code, paste it in the field called Access Code and save it by pressing the Save Access Code button.
  8. Once set up please be aware it may take up to 24 hour for data to appear in your reports.

You are now set to explore and set up Google Analytics Dashboard for WP as you wish. For more information and a more in depth video on how it works please visit the Google Analytics Dashboard for WP Documentation, Tutorials and FAQ page.

 

 

How to set up Google Analytics for your website

There are three parts to setting up Google Analytics to start collecting basic data from your website.

  1. Create a Google account or activate (access) Google Analytics on your existing google account
  2. Set up a property in your google account.
  3. Follow the instructions to set up web tracking

Only you as the website owner can set this up as it comes under your personal google account so your web host or developer will not be able to set this up for you. However it is very easy to do and a simple guide is below:

Create a Google account or activate (access) Google Analytics on your existing google account

First you will need to create a Google Analytics account. To do this, visit Google Analytics Signup Page.

If you already have a Gmail/Google account, then use that to sign-in with. If you do not have a Gmail/Google account, then you will have to create an account for yourself.

If during the sign in/up process you end up on the wrong page just visit https://analytics.google.com/ to get you back on the right page.

Set up a property in your google account

Once signed into your Google Analytics go to the ADMIN tab along the top of the page

In the ACCOUNT column, use the dropdown menu to select the account to which you want to add the property.
In the PROPERTY column, select Create new property from the dropdown menu and select website.

Tips for completing the form

Website Name: you can simply use your URL if you wish.

Website URL: just type in your website address! Select the protocol standard (http:// or https://). Enter the domain name, without any characters following the name, including a trailing slash (www.example.com, not www.example.com/).

Industry Category:  this is optional and can be left blank if you struggle to find an appropriate category for your business.

Reporting Time Zone: Pick your time zone. This is key for making sure the way Google Analytics counts days lines up with your own business day.

Data Sharing Settings (if shown): completely optional. Select and deselect as you feel comfortable.

Click the blue Get Tracking ID button. Your property is created after you click this button, but you must set up the tracking code to collect data.

Follow the instructions to set up web tracking

There are several ways to collect data in Analytics, depending on what you want to track. This Set up Analytics tracking guide gives you the instruction on the best installation method for what you wish to track.

If you are using WordPress please refer to our Google Analytics for WordPress post.

Whatever method you use to set up Google Analytic please be aware it may take up to 24 hour for data to appear in your reports.

HashGate

HashGate: An intrusion detection tool

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

PHP 5.5 support will stop on the 10 July 2016

Quick Public Safety Announcement, PHP 5.5 is end of life on the 10 July 2016.

Anything not running PHP version 5.6 or newer exposes your site to significant security vulnerabilities.

We have ensured that all our customers are safe and ready. Unsure if you are affected? Want a hand upgrading? Get in touch!

 

composer-PHP-usage-chart-2016-01

I am a big fan of graphs, Jordi Boggiano has provided this is a great overview of the PHP versions out there in the wild!

We are very happy to see a big drop in PHP 5.3 and 5.4 since they have long passed end of life and a surprisingly quick rise in the brand new PHP 7.0. :)

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Pushover Alerts

Alerts & Webhooks with AWS Lambda

Here at Dogsbody Technology we monitor servers and services for hundreds of clients, you may have read our previous blog post talking about our Warboard and how we make use of it. This blog post covers the other tools we use for responding to incidents and issues real time, our Dogsbody Technology Webhooks.

The main thing we use the webhooks for are Pingdom, Newrelic & Sirportly alerts. When an incident is triggered in Pingdom or Newrelic they will make an API call to our webhook with the relevant information we require to investigate an incident, the webhook will then determine the priority of the incident and send an alert to our Pushover user accounts so we are alerted and can respond to the incident.

High priority alerts, such as site outages also trigger a rotating blue police style light which is accompanied by a siren sound from the office speaker.

 

Office Siren

The Dogsbody Technology office siren

 

We also use the webhooks to notify a user when certain interactions happen in our ticketing system Sirportly, such as being assigned a new ticket or when one of their existing tickets is replied to.

To ensure our webhooks would have near to 100% uptime and we wouldn’t miss an alert, we decided the best place to host them would be using AWS Lambda & AWS API Gateway. These two services combined allow us to run the webhooks with Amazon’s high availability infrastructure while only paying small amounts on a per request/alert basis, which is the perfect type of model for this service.

To put into perspective how cost effective AWS’ pricing model for our alerts is, last month (June 2016) we received 25,282 alerts for all of our endpoints combined. This worked out at a total monthly cost of … $0.10! AWS actually provide you with a free amount of lambda execution time per month which we haven’t even reached yet, we’re only getting charged that 10 cents for the API Gateway.

Let us know if you find any of the services and technologies mentioned above interesting and we can write some more in-depth blog posts on those subjects, and even some guides on using them. The alerts talked about in this blog post come with the majority of our server monitoring packages, so be sure to get in contact if you need any of our services.