• fheidenreich 12 months ago

    I've received several reports from users who cannot access Discogs from Windows 7 anymore. It seems to coincide with a recent server update, where the Discogs SSL certificates were changed.

    It's namely related to programs that are accessing the API via built-in Windows functions (WinHttp). Can someone from Staff shed some light into this recent change and give insights if this will be permanent?
  • bayrunner13 12 months ago

    I'm using Windows 8.1 and I have the issue that fheidenreich is talking about when trying to use MP3tag to edit tags using Discogs as the source. It was working fine until the recent server update by Discogs.
    It was an invaluable resource so hopefully a fix can be found.
  • djbrambich 12 months ago

    Cannot access anymore with IE but chrome does it. Under win 7
  • redwood66 12 months ago

    redwood66 edited 12 months ago
    I can confirm the error on win 7.
    Mp3tag 2.99 (what i updated from 2.89 to see if the error will disappear).
    Is there a Certificate file to dl manually to test with?
  • Miltiades 12 months ago

    fheidenreich
    I've received several reports from users who cannot access Discogs from Windows 7 anymore. It seems to coincide with a recent server update, where the Discogs SSL certificates were changed.

    It's namely related to programs that are accessing the API via built-in Windows functions (WinHttp). Can someone from Staff shed some light into this recent change and give insights if this will be permanent?


    I have the same issue under win7 and foobar.
  • jweijde 12 months ago

    Seems to be related to a Windows update https://www.discogs.com/forum/thread/809378
  • Miltiades 12 months ago

    jweijde
    Seems to be related to a Windows update https://www.discogs.com/forum/thread/809378


    Sorry to say that, but I don't think so: TSL settings are on and my HTPC remains without WinUpdates...Anyway, I haven't change anything since years.
  • jweijde 12 months ago

    jweijde edited 12 months ago
    Miltiades
    I have the same issue under win7 and foobar.


    I have these issues too.
    My PHP based API tools still work though.
  • Refried 12 months ago

    Refried edited 12 months ago
    Hmm. They changed their TLS handshake for no understandable reason, and they probably won't give one, either. This is on their end, it isn't you. Everything else still works for fetching information.
    I doubt, unless they comment here, that they'll do a damn thing about it. They've broken calls by doing this, and will probably say it has to do with lack of security (which is nonsense), and it coincidentally has occurred right as Microsoft decided to stop update/patch support for windows 7, which has no relation at all to their TLS security, and it will effect machines regardless of their installed updates running that operating system.

    Here are the new cyphers that windows 8.0 and below do not support (by first party):
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    So, this means unless they remove the requirement, anyone below windows 8 will not be able to have their API apps function properly or those who use them on windows8 and below with work correctly. There's absolutely no reason they need to do this for API applications, and it's frankly just a big middle finger to programmers.
  • BarnyardOrbit 12 months ago

    BarnyardOrbit edited 12 months ago
    +1 Refried has nailed it, and while surely not intentional it's nonetheless had a major negative impact for many users and developers across the community.

    We've stated our case with nik in this thread and sought some relief for everyone experiencing these issues.
  • theFBI 12 months ago

    It seems their opinion is made and stated loud and clear:

    nik
    I would advise running the latest version of operating system and a compatible browser to maintain access to the site. Thanks!


    I wonder if it would help to better bring the message of userbase disapproval across if a d-d-o-s were executed on discogs servers (don't worry, their tendency to bluntly dismiss any feedback will prevent them from being able to spell it).
  • BarnyardOrbit 12 months ago

    The following "modern" browser/OS combinations appear to be "not supported" by the recently deployed security update. We believe this to be a fairly complete list, although perhaps not exhaustive:

    IE 11 / Win 7
    IE 11 / Win 8.1
    IE 11 / Win Phone 8.1
    IE 11 / Win Phone 8.1

    Safari 6 / iOS 6.0.1
    Safari 7 / iOS 7.1
    Safari 8 / iOS 8.4

    Safari 7 / OS X 10.9
    Safari 8 / OS X 10.10
  • bayrunner13 12 months ago

    Not much coming back from Discogs on this, is there? Will have to hold off paying this month's fees....
  • Refried 12 months ago

    Refried edited 12 months ago
    bayrunner13
    Not much coming back from Discogs on this, is there? Will have to hold off paying this month's fees....


    At the moment, they have gone back to the previous TLS for API applications. This means that some of them may go back to functioning properly. I know a few that do, however, if they feel that for some reason everyone should "update their OS" just to use a discogs API related application - they're out of their minds. If browsers can do it on their side without having to force users to update their OS, and many, many websites and standalone applications as well, so can they.

    Thanks to theFBI & BarnyardOrbit for directing to that post. Hopefully they cut this nonsense out.
  • ..DiamondDog.. 12 months ago

    Refried
    At the moment, they have gone back to the previous TLS for API applications.


    And foo_discogs works again here on win7...
    Thanks Refried.
  • Staff 22

    eknudtson 12 months ago

    Hey all,

    This went out accidentally with an upgrade to one of our internal components (they changed the TLS cipher suites allowed). In general we advise using a modern, updated browser and a supported non-EOL'd OS for your security.

    We strive to announce breaking changes in advance, but reserve the right to make security updates without warning that protect our users.

    Thanks for your understanding, and apologies for the inconvenience!
  • Refried 12 months ago

    eknudtson
    but reserve the right to make security updates without warning that protect our users.

    Yes, to your website is completely understandable. And that's why internet browsers update their ability to handle those components internally, but at the same time are backwards compatible, which is the only thing this site should be doing as well. Updating your encryption is a nice thing to do, and eventually browsers will follow, but to expect it on a operating system level is nuts.

    If you feel the need to update ciphers or SSL across the board without reverse compatibility, you're not providing security any more, you're dictating, and might as well make the site private with a list of requirements to visit. Also, this is just a website, and unless someone takes you over and injects users somehow or leaks information from your servers due to lack of server security, the users are never at risk for anything in regards to your website because of their operating system. So please, don't say it's for our security at that level. You guys are smart enough to know this, and you know you can provide authentication for API that doesn't require these ridiculously high encryption ciphers for the little amount of extra protection that may or may not be challenged.

    Thank you for rolling back.
  • BarnyardOrbit 12 months ago

    BarnyardOrbit edited 12 months ago
    Far, far wider support confirmed. Thanks eknudtson and nik for hearing our pleas and setting this straight.

    Refried
    You guys are smart enough to know this

    Some of the rest of us are, too. Quite obviously more "ooops" than "hair on fire" in this case. Post-rollback the site's security still scores "A+", which is pretty tough to attain yet still provide wide-scale browser/OS support. So kudos are definitely in order there.

    eknudtson
    We strive to announce breaking changes in advance, but reserve the right to make security updates without warning that protect our users.

    How about striving to announce some changes, any changes, period? As noted previously, the last informative Engineering Update was posted to the Change Log over two years ago. It takes a community to be well-informed, and they'd sure like to be, but only you guys can satisfy the collective desire!
  • yremogtnom 12 months ago

    Refried

    Also, this is just a website, and unless someone takes you over and injects users somehow or leaks information from your servers due to lack of server security, the users are never at risk for anything in regards to your website because of their operating system.


    While I agree that the change to the encryption level was a bit ridiculous for access with the API, I thought I'd point out it is *NOT* just their website. They have a sale-site built in, where you and I can engage in a transaction and you could purchase an album I have, or vice versa. This handles money and financial data. Though I haven't used it (yet) myself, I'm certain that it has credit card transactions... paypal, maybe... and I, for one, wouldn't want that information falling into the wrong hands because they didn't have [high enough] encryption on their servers.

    I am employed by a company that handles mail security. I deal with TLS encryption issues often where someone has their server set to only accept ciphers another server isn't configured for, and mail can't be transferred. I fully understand what happened here.

    And while I agree that for the API access - it is/was a bit much... - you can't yell at them for wanting to be secure. I wouldn't yell at my bank for locking me out of my account after a few bad passwords... or for logging in from a location where it was riddled with malware...
    "I had my caps lock on! Can't you tell that? You should know better!"

    That wouldn't go far... especially if someone then broke into my account after trying a few MORE passwords.

    We all need to look at the bigger picture sometimes - not just what affects us at the moment. Inconvenient? Yes. A burden for some, even, who use it for their business. But it _is_ their site, and it _is_ within their purview to protect it against malicious actors. I don't fault them for that at all.

    Happily for me, it appears I can use MediaMonkey again with Discogs to identify/tag tracks. (The music industry owes Discogs a stipend or royalties for the albums not identified correctly the first try, and I saw albums I didn't know existed... and have since purchased.)

    Be kind to the webmasters. They know things.......

    -- yremogtnom
  • DarreLP 12 months ago

    But seriously, stop using IE.
  • bayrunner13 12 months ago

    (The music industry owes Discogs a stipend or royalties for the albums not identified correctly)

    I'll never understand how, in 2020 (or 2019, 18, 17) some record companies can issue CDs with absolutely no tagging.
    The brand new Ruby Turner and the two newly reissued Roy Ayers CDs on BBE are just two examples. Bonkers.
  • fheidenreich 12 months ago

    eknudtson
    This went out accidentally with an upgrade to one of our internal components (they changed the TLS cipher suites allowed).

    Thanks for reverting the change! And still A+ on the SSL Labs rating.
  • coline741 12 months ago

    Old man with old windows 7

    Thanks you to Discogs for reverting the change
  • Miltiades 12 months ago

    Thank You to everyone for rolling back :-)
  • LoveSoldier 12 months ago

    ++ Windows 7.
    Backwards compatibility is a must to millions of users relying on Discogs.
    I using Discogs Tagger script for MediaMonkey (link) witch requires IE.
  • dnsdies 12 months ago

    The discogs tagger in Foobar2000 seems to be broken.
    I've made sure my windows registry is set to use TLS 1.2 and I can't get OAuth to give me a PIN, it gives me:
    "(FATAL) Error: Network exceptionNetwork authentication error (80090302) (url: https://api.discogs.com/oauth/request_token)"
  • V30 10 months ago

    Same issue as Dnsdies. Any ideas?
  • jweijde 9 months ago

  • Recaster_Discs about 1 month ago

    I was wanting to dedicate an old Mac running OSX 10.5 for Discogs. Looks like I'm out of luck!

Log In You must be logged in to post.