![]() The blog post described a technique, along with a proof of concept, to connect to a server without triggering a Little Snitch alert dialog. For some reason, their blog post didn't seem to attract any public attention at the time I certainly wasn't aware of it back then. While researching my blog post, I discovered a blog post from 2021 by Rhino Security labs titled Bypassing Little Snitch Firewall with Empty TCP Packets. The information leak appears to occur for every TCP connection, as far as I can tell. (See man tcpdump for a description of the options.) sudo tcpdump -interface=all -n -no-promiscuous-mode Just run the following command from Terminal app. You can test the Little Snitch IP address leak yourself. Thus, before Little Snitch can perform deep packet inspection, the IP address of your Mac may have already been sent to the remote server! Every TCP packet, including any packet involved in the handshake, contains the IP addresses of the sender and the receiver. The IP address alone would not necessarily provide a unique domain name, because multiple domains can use the same IP address.Īn HTTP connection over TCP has to initiate a 3-step "handshake" before any actual data-such as HTTP headers-can be sent over the connection. I assume they meant for example the HTTP Host header, the HTTP/2 :authority pseudo-header, or the TLS Server Name Indication. Objective Development told me that Little Snitch uses deep packet inspection to try to get a name for the connection. However, when I emailed Objective Development, I learned the truth: Little Snitch allows some TCP packets to be sent. Disturbingly, though, there was some unusual TCP activity, for example to Apple! (The IP addresses were in Apple's allocated 17.0.0.0/8 IPv4 range.) At first I suspected that Apple had exempted itself from network extension filtering again. In the packet trace, I found no connections to Objective Development. I ran the tcpdump command in Terminal to record a packet trace, and then I reconnected my Mac to the internet to see what happens. (By the way, the "Information from Objective Development" in the screenshot below was available without an internet connection, so it appears to be bundled with Little Snitch.) It blocks everything except configd, which is required to connect to your router, and mDNSResponder, which is required to perform DNS queries. Below is a minimal set of rules that you can use for testing. I disconnected the Mac from the internet, installed Little Snitch, and went through the entire setup process. I tested this on one of my Macs that didn't yet have Little Snitch installed. The good news is that Little Snitch doesn't exempt its own connections, as far as I can tell. I already knew that Little Snitch could block its own software update, but I wanted to see whether there was anything else, ironically in order to assuage someone else's fear about the app. The background to this blog post is that I was testing whether Little Snitch exempts its own connections to the developer's server from getting blocked by Little Snitch. The server knows that you, i.e., your IP address, tried to connect to the server, even when Little Snitch "denies" the connection. This TCP data includes your IP address, which can often be used to personally identify you. ![]() Nonetheless, Little Snitch does not prevent TCP (Transmission Control Protocol) data from getting sent. Technically, unless you allow the connection, Little Snitch does indeed prevent HTTP data from getting sent. When you look at the implementation of Little Snitch, the interpretation of the word "data" becomes crucial. Your decision will be remembered and applied automatically in the future. No data is transmitted without your consent. Here's Objective Development's advertisement for the Alert Mode of Little Snitch: Whenever an app attempts to connect to a server on the Internet, Little Snitch shows a connection alert, allowing you to decide whether to allow or deny the connection. My hope is that highlighting this issue will prompt some improvements in Little Snitch to ameliorate it. However, this blog post raises a privacy issue with Little Snitch that bothers me, and I believe the public has the right to know about it. I've also done a lot to promote Little Snitch on my blog and even in the news media. I purchased Little Snitch years ago, continue to use it, and will continue to use it. Little Snitch is a macOS app and network filter extension made by Objective Development Software. Previous: What Apple doesn't get about FeedbackĪrticles index Jeff Johnson ( My apps, PayPal.Me, Mastodon) Little Snitch "denied" connections leak your IP address March 29 2023 Little Snitch "denied" connections leak your IP address
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |