I have noticed this on my local Pi-Hole — that Little Snitch denials still result in a DNS resolution (i.e. requested hostname still has IP resolved).
To every person I've watched DENY a connection via LittleSnitch popup, I have been told "you don't know what you're talking about — why would it behave like that?!"
It just does. You need your own network DNS and firewalls, and you need to know how to use them.
wow, that is absurdly careless. I paid money for little snitch and I am incredibly disappointed and feel a huge loss of trust,
I trusted Little Snitch to keep me safe from things I consider harmful and now it comes out they don't care about privacy at all.
Not a little snitch user, however I do happen to agree with the author that they should disclose this somewhere.
A quick Google search and some viewing of Objective Development's help center doesn't show any related results. Amusingly, it's the author's post and the other article mentioned that take top slot.
As for remediations, the difficult but proper implementation would be to intercept, but handle the TCP handshake and emulate the responses in order to get the SNI. The easy way is to just add a behavior toggle with an explanation of the caveats.
I don't understand the negativity in here. I would never expect Little Snitch (my opinion) to completely block all network traffic on all levels and this seems reasonable to me. Does it leak my ip? Yes. Do I think it compromises my security? No, there's so much noise on internet facing services that just initiating connection would easily get lost in the noise of all the botnets, port scans and legitimate users.
There's huge amount of other ways how data can be exfiltrated if one wishes to do so, from domain fronting, DNS level (you can easily tunnel data via DNS), forcing OS and/or whitelisted application to do it on your behalf (haven't tried but I think the files where rules are stored is readable by current user/process?). Such techniques can bypass even insanely expensive network IDS taps if there is enough incentive on the attacker side. I would never expect Little Snitch to be on the same level as those expensive network taps.
I think the use case people now forget is preventing applications to send meaningful data to analytic services like google ad-sense and similar or sending full data payloads (like http body). For this it's good enough. If your worry is about advanced techniques that would exfiltrate the data via DNS tunneling, partial TCP handshakes or forcing to do the connection/beacon on OS level for you then Little Snitch isn't going to help you and your problem is somewhere else. The last Electron wrapped application you downloaded that is packed with 5+ ad services isn't going to do that so it can get your IP.
On the other hand the wording may have been changed slightly and their use of "data" word so it doesn't give user the wrong impression but there is also a balance between explaining in 1-2 sentences what it does and writing 20 page document just to explain that and be technically correct in every word.
This is such a stupid design decision, especially for the blocked processed, very disappointed in Little Snitch, and what's worse is that it seems the alternatives are not better :(
I have noticed this on my local Pi-Hole — that Little Snitch denials still result in a DNS resolution (i.e. requested hostname still has IP resolved).
To every person I've watched DENY a connection via LittleSnitch popup, I have been told "you don't know what you're talking about — why would it behave like that?!"
It just does. You need your own network DNS and firewalls, and you need to know how to use them.
wow, that is absurdly careless. I paid money for little snitch and I am incredibly disappointed and feel a huge loss of trust, I trusted Little Snitch to keep me safe from things I consider harmful and now it comes out they don't care about privacy at all.
Not a little snitch user, however I do happen to agree with the author that they should disclose this somewhere.
A quick Google search and some viewing of Objective Development's help center doesn't show any related results. Amusingly, it's the author's post and the other article mentioned that take top slot.
As for remediations, the difficult but proper implementation would be to intercept, but handle the TCP handshake and emulate the responses in order to get the SNI. The easy way is to just add a behavior toggle with an explanation of the caveats.
I don't understand the negativity in here. I would never expect Little Snitch (my opinion) to completely block all network traffic on all levels and this seems reasonable to me. Does it leak my ip? Yes. Do I think it compromises my security? No, there's so much noise on internet facing services that just initiating connection would easily get lost in the noise of all the botnets, port scans and legitimate users.
There's huge amount of other ways how data can be exfiltrated if one wishes to do so, from domain fronting, DNS level (you can easily tunnel data via DNS), forcing OS and/or whitelisted application to do it on your behalf (haven't tried but I think the files where rules are stored is readable by current user/process?). Such techniques can bypass even insanely expensive network IDS taps if there is enough incentive on the attacker side. I would never expect Little Snitch to be on the same level as those expensive network taps.
I think the use case people now forget is preventing applications to send meaningful data to analytic services like google ad-sense and similar or sending full data payloads (like http body). For this it's good enough. If your worry is about advanced techniques that would exfiltrate the data via DNS tunneling, partial TCP handshakes or forcing to do the connection/beacon on OS level for you then Little Snitch isn't going to help you and your problem is somewhere else. The last Electron wrapped application you downloaded that is packed with 5+ ad services isn't going to do that so it can get your IP.
On the other hand the wording may have been changed slightly and their use of "data" word so it doesn't give user the wrong impression but there is also a balance between explaining in 1-2 sentences what it does and writing 20 page document just to explain that and be technically correct in every word.
> I would never expect Little Snitch (my opinion) to completely block all network traffic on all levels
It's very easy to say this in retrospect, having read the blog post. How many people would have said it beforehand?
As far as I can tell, hardly anyone has ever said it, except the one other mentioned article from 2021: https://rhinosecuritylabs.com/network-security/bypassing-lit...
Moreover, it seems that Little Snitch changed its behavior at some point in order to use deep packet inspection. It wasn't always that way.
Is this a GPT written screed?
This is such a stupid design decision, especially for the blocked processed, very disappointed in Little Snitch, and what's worse is that it seems the alternatives are not better :(
Is this due to a limitation in MacOS?
According to the follow-up post the issue with LuLu (an alternative firewall) might be due to a bug in Mac https://lapcatsoftware.com/articles/2023/3/5.html
But the issue with Little Snitch isn't a platform limitation
allows you can modulate a signal onto connection attempts to bypass little snitch entirely!