Hacker News new | ask | show | jobs
by teraflop 1460 days ago
A couple of obvious reasons:

- You can apply more flexible rules than just blocking specific hostnames -- for example, based on IP subnets, port numbers, or specific binary executables

- You can block connections even from programs that bypass the default system-wide DNS configuration
1 comments
throwawei369 1460 days ago
> You can apply more flexible rules than just blocking specific hostnames -- for example, based on IP subnets, port numbers, or specific binary executables

This doesn't sound like a common use case. You can already block connection on a specific port with all available firewall programs. And you can bubblewrap binaries from making internet connections.

> You can block connections even from programs that bypass the default system-wide DNS configuration

Other than browser's making use of DOH for DNS, I can't think of a common use case for this. Besides, why would I want to Wireshark my browser? Why not use uBlock to filter domains.

Doesn't seem obvious to me why one would go through all this trouble.

link
teraflop 1460 days ago
The whole point of something like Little Snitch is to detect, and give you the option of preventing, connections that you wouldn't otherwise know about. For instance, programs that secretly phone home with telemetry about the user's behavior.

I can easily imagine such a program doing its own DNS lookups (or just using hardcoded IP addresses) to avoid detection, and this approach allows you to block it anyway.

Sure, you could do the same thing manually. But you might as well say "why does anyone need Visual Studio Code when we have sed and awk?"

link
throwawei369 1460 days ago
My point is. With Linux and FOSS software, you do not necessarily need to treat programs as hostile. By default, most software is open and can be audited. If you decide to extensively use proprietary software then you have bigger problems that even Little Snitch cannot solve.

There are better alternative routes you can take that do not involve a "MITM" for all your connections.

link
KyeRussell 1460 days ago
Your head is firmly in the clouds if you believe that “audit all your software” is an appropriate solution for even the majority of desktop Linux users. The sun still rises every day with people using software that they aren’t personally auditing. Continued interest in this project proves its use. I don’t buy that you genuinely believe your viewpoint. You’re just being a FOSS purist.
link
beagle3 1460 days ago
You somehow assume exploits never happen.

There’s no MITM involved. Just another hop (potentially with an interactive go/no decision.

link
throwawei369 1460 days ago
If am not wrong, Little snitch doesn't stop any malicious domain that the user is not aware of.

Little snitch is effectively a MITM app for all connections on the system it is installed on.

link
beagle3 1460 days ago
Little Snitch can be setup whichever way you like, but the default/recommended way is for it to ask the user about every connection attempt, which you can then approve or deny (for a limited time, or forever).

Little Snitch is a gate. It either lets a specific connection through, or not; it does not modify it. It all happens on your own machine. You keep using that term, "MITM", I don't think it means what you think it means.

link
gus_ 1460 days ago
> Besides, why would I want to Wireshark my browser?

https://github.com/gustavo-iniguez-goya/opensnitch/issues/21

https://nullsweep.com/why-is-this-website-port-scanning-me/

https://user-images.githubusercontent.com/2742953/84960681-9...

link