|
|
|
|
|
|
by microtonal
3441 days ago
|
|
|
Signed packages from trusted repos should not need firewalling, at least not if you're using a serious distro rather than a hobby project. Software has security vulnerabilities. So, even if the software is trusted, there could be a zero-day vulnerability that is exploited. I'd rather have software stopped in its tracks. (For this reason I think something like Little Snitch or Douane is not enough, you also need sandboxing.) will generally break as soon as they can't do their snooping because they'll segfault or block waiting for the answer that never came to the package that was never sent anyway. Maybe macOS apps are different, but I never had this experience during while using little snitch for almost 10 years. I recently started using Little Flocker (which is like Little Snitch/Douane, but for filesystem access) and so far no program has crashed as a result of denying access[1]. [1] Including the JDK installer, where I denied writing launch agents and Java itself trying to write to ~/.oracle_jre_usage. |
|
|
How? When the zero day hits, the program has long been marked as trusted and the firewall will just happily let it go along. Besides, even if you're an experienced user and the firewall is smart enough to figure out that the application is talking to a server that it's never talked before (which isn't even sustainable for a lot of applications), it's very likely that you'll see the alert way before you read the news about the zero-day, and you'll just shrug and allow it to continue because you trust that program.
(Edit: maybe personal firewalls got smarter since I last used one and there's something else I'm missing here?)
> Maybe macOS apps are different, but I never had this experience during while using little snitch for almost 10 years.
The kind of applications that actively snoop on users as a business model -- the ones that you want to block in the first place -- sometimes even do this deliberately (which is something that I know from experience, not something that I suspect). Inexperienced users quickly figure out it's the firewall that gives them trouble, and they'll pick disabling the firewall over not playing with their toy any time. This works for pretty much any sort of permissions.
For example, last time I ran it on my tablet, Instagram's application was crippled to uselessness because I had disabled camera access (my girlfriend only needed to post a photo on an account that she managed): as soon as it opened, it spit out a big fat error message saying it can't access the camera and that you should allow camera access if you want to be able to take photos. As soon as you tapped ok, the same error popped up, and the application never loaded.
macOS apps aren't any different, you're just running the right ones :-).