Hacker News new | ask | show | jobs
by matheusmoreira 1810 days ago
> I want to deny network connections by default and specifically enable who can speak to the outside world.

I also want to filter the network data. I want my firewall to inspect what the software is sending over the network and delete, randomize or nullify all data that isn't strictly necessary for it to perform the desired function. Like uBlock Origin but for the network stack.

This would enable normal operation of the software while also at least partially subverting the "legitimate business interests" of these corporations.
2 comments
phone8675309 1810 days ago
> I want my firewall to inspect what the software is sending over the network and delete, randomize or nullify all data that isn't strictly necessary for it to perform the desired function. Like uBlock Origin but for the network stack.

You'll have to TLS man-in-the-middle yourself for this to be viable.

link
matheusmoreira 1808 days ago
Absolutely. Interception is okay when we're the ones doing it. Software exists to serve us, it doesn't have the right to establish private communications with third parties against our wishes.

I've intercepted the traffic of many mobile apps to see what information they're sending. I hear developers are pinning certificates now. I can just replace the pinned certificate, right?

link
jfrunyon 1810 days ago
That's easy, since you have control over trusted CAs. And also, not true; it could be done in the TLS library.
link
alpaca128 1810 days ago
Could also work with file access. Most applications never need to access the whole filesystem. My browser mostly needs access to the profile-specific data and the downloads folder. A music player doesn't need access to anything outside the music directory and also no networking unless maybe that one URL it uses to load album cover images.

Although I'd only prefer this approach if it's actually done right. Android, Flatpak etc. mostly showed ways to do it badly.

link
matheusmoreira 1810 days ago
Agreed. We need ways to filter every Linux system call. Not just disallow the system calls themselves. We need the ability to apply policies to parameters and filter I/O in a transparent way.
link
jfrunyon 1810 days ago
https://en.wikipedia.org/wiki/Systrace https://en.wikipedia.org/wiki/Linux_Security_Modules
link
jfrunyon 1810 days ago
https://wiki.ubuntu.com/AppArmor ???
link