←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 3 comments | 20 Oct 20 15:51 UTC | HN request time: 0.388s | source
Show context
3pt14159 ◴[20 Oct 20 16:03 UTC] No.24838967[source]
This is one of those tough cases where software cuts both ways.

Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.

Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.

replies(19): >>24838993 #>>24839043 #>>24839086 #>>24839126 #>>24839194 #>>24839419 #>>24840315 #>>24841406 #>>24841984 #>>24842961 #>>24843115 #>>24843241 #>>24844017 #>>24844287 #>>24844319 #>>24844636 #>>24845405 #>>24845660 #>>24845932 #
ballenf ◴[20 Oct 20 16:13 UTC] No.24839086[source]
I'd argue this opens up a giant attack surface where malicious software will try to route its command and control communication through a protected service. Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.

replies(6): >>24840000 #>>24841973 #>>24843556 #>>24844470 #>>24844572 #>>24894460 #
comboy ◴[20 Oct 20 20:22 UTC] No.24841973[source]
The decision is questionable, but you can always inspect traffic from the machine outside it, I would even say that's preferable in context of malware.
replies(2): >>24842095 #>>24843750 #
1. tssva ◴[21 Oct 20 00:30 UTC] No.24843750[source]
TLS makes this difficult today and SNI encryption will make this next to impossible without installing a custom ca certificate and doing MITM. Even that isn't helpful when you are using a laptop that may not always be on the network where you have deployed a device for inspection. Better to be able to inspect or block on the device by application.
replies(2): >>24845274 #>>24845438 #
2. tialaramex ◴[21 Oct 20 06:33 UTC] No.24845274[source]
I would be astonished if Apple doesn't at least experiment with key pinning for the services it has decided to "protect" in this way.

If pinning is used then you can't interfere by interposing a middlebox, the connection would just fail. I guess it's possible Apple would find corporate pushback is too strong, but maybe not.

Don't use things you don't trust. If you trust Apple's proprietary software at least you are getting exactly what you signed up for. Apple gets to do whatever they want, which you apparently trust them to do. Will they accidentally let in bad guys? Maybe. You signed up for that too.

3. comboy ◴[21 Oct 20 07:11 UTC] No.24845438[source]
When we are talking about malware that's irrelevant. And if we are talking about inspecting Apple's traffic, I don't think you should trust things you see on their hardware running their operating system.