Hacker News new | past | comments | ask | show | jobs | submit login
Little Snitch 3 – Protect your privacy (obdev.at)
377 points by ergot on Jan 20, 2017 | hide | past | web | favorite | 215 comments

> Research Assistant

> Have you ever wondered why a process you’ve never heard of before suddenly wants to connect to some server on the Internet? The Research Assistant helps you to find the answer. It only takes one click on the research button to anonymously request additional information for the current connection from the Research Assistant Database.

I'm so glad they built this feature.

The hardest part about using Little Snitch is trying to figure out whether processes that look like system or daemons are making legitimate connections.

Frankly, I don't think Little Snitch is usable because of this. And no, a lookup tool is not good enough. For a paid program, I would expect them to maintain a list of the "required/acceptable" connections and "unnecessary" connections for popular programs, and automate the process of approval for each app.

Perfect example: Spotify is impossible to manually whitelist without spending well over an hour accepting or denying each of the exhaustingly large number of domains it touches. I bet that nearly every user simply gives up and whitelists the entire application, which defeats the purpose of paying for and installing an app like Little Snitch in the first place.

Little Snitch should be doing that work up front for its users. One person on their end spends a day or two figuring it out for an app, and saves tens of thousands of user hours having to individually perform that task. No anti-virus out there alerts a user to every filesystem read and write - they maintain databases of known threats. The same should be true for this kind of software.

Yes, it would require constant maintenance on their part. If they needed to up the price to make such a strategy viable, so be it. As it stands, I uninstalled out of frustration after using the demo for 6 hours. The alerts and interruptions never stop.

Oh this is so exactly my experience as well. I love the concept and the fine grain control that's possible, but it's so damn frustrating to use. So many obscure processes on OSX want outbound access that I gave up trying to research each; on the other hand, if I deny everything I'm worried that something subtle is going to fail and I'll end up spending half a day figuring out why.

> one person [does the work] and saves [us] tens of thousands of user hours having to individually perform that task

If Little Snitch is listening, please do this. I would be willing to pay more.

They do stop, and while I do agree it's annoying at first, your decisions about what to block and when, are different from my decisions about what to block and when. It's not about "threats" per-say but about privacy, operational security and choice.

I would totally accept some presets for apple services.

One preset that I would love is "maximum privacy while user initiated outbound still works". So my browser would work because I initiated it, but everything OSX or apps do in the background are blocked. Automatic updates are blocked? Good! Network time sync is blocked? Fine by me. Only what I initiate gets through. Can you do that as a preset please?

That's my default until VPN is up; Firefox only + a few network services that seem to be required

There is simply too much trial and error caused by initially denying a connection, only to discover that it's a mandatory connection to allow the app to function properly. A ridiculous amount of time is spent changing an initial deny to an accept.

>> your decisions about what to block and when, are different from my decisions about what to block and when

It really would not be hard to offer sensible default presets per application. "Spotify is attempting to make its first connection. Would you like to a) block all connections, b) allow all connections, c) allow all connections required for standard operation only, or d) ask me for each connection (manual management)". Nobody is going to fine-tune every phone-home or analytics call; people who want them blocked will block them all, and people who don't mind won't block any of them.

The only reason it's a tough job is that applications can change frequently. Every time any app (ex: Spotify) releases a new version, it needs to be reviewed again to see if the "firewall database" needs updating. It would be useless to have a database of known connections if updates aren't disseminated to users within 1-2 days of a new release.

That is a valid point. But they could at least do a research and give all users useful info in pop-up window. Wouldn't it be easier to decide if one could read a message? Ex: "Process XXXZZZ666 - This process does this and that. Risk of blocking is this, risk of non blocking it that."

While Spotify does use a lot of domains most of them are subdomains for music. You can use a wildcard for them (*.ap.spotify.com ports 80, 443, 4070).


Eh, it is not at all a new feature. Lavasoft AdAware did this in the 90s, running on Windows 9x. Apparently Murus Firewall does it as well.

but if I block Little Snitch from Little Snitch, will Research Assistant still work?

Try the Little Snitch Research Assistant, it might be able to help.


That's not what GP's comment is about.

Downvoting you because you only comment about NetBalancer. Please stop spamming in our community

Why are OSX applications in general so bad at telling website users which platforms they support? Like always, I have to keep digging around in the website, just to find out that it only runs on OSX...

Does anyone know a similar utility for Ubuntu/Linux systems? Paid or free, doesn't matter.

Perhaps they thought the screenshots made it clear enough; like this one: https://www.obdev.at/Images//littlesnitch/index/alert_on_scr... shows Little Snitch blocking iTunes (with an Aqua-styled UI).

Although I'll admit it doesn't mention what OS or what version except a small line on the downloads page:

    Runs on OS X Yosemite (10.10) and later, including macOS Sierra (10.12).

A screenshot demonstrates a place where it CAN run (and potentially where the devs run it), but doesn't EXCLUDE anything.

You see screenshots of windows programs all the time with just a sidenote somewhere that is like "oh yeah, and for linux and mac too"

Not to be biased, but personal 9 years of experience tell me that if a program has a landing page "oh yeah, and for linux and mac too", it looks shit on mac.

Plenty of apps look like shit but run just fine.

Perhaps others don't share this view but I don't care so much how it looks if it gets the job done, especially if there is no other alternative.

That was an exaggeration, but many times programs that look identical (aside from window frames) across platforms don't show the window frames for every platform. Electron apps (for as unpopular as they may be) are pretty platform agnostic. If they show it on windows and just have a linux/mac download button its not a big deal.

skype.com probably fits the bill of looks shit, but it shows android and windows 10 screenshots only.

obsproject.com shows a lot of screenshots that look pretty windows 10-ish... but it also announces "Latest Releases <platform logos>" right at the top of the page.

sublimetext.com shows windows only screenshots. And then mentions platforms at the bottom of the page.

https://slack.com/is shows only mac screenshots. I imagine this reflects more on the developers than the actual product. Im pretty sure its available on other platforms.

And my point was less about quality of programs, but availability. showing the window frame of a single OS does not mean that only that OS is available, sometimes that's just the only OS the marketing team uses.

If I'm not a Mac user, I won't recognize a window manager that's only available on MacOS. And isn't there a (crappy) iTunes port for Windows?

Well, iTunes is made by Apple.

It also doesn't require the kernel-level integration of Little Snitch.

Firewalls are way more about the backend than the frontend. They are not very portable at all.

The same can be said about Windows programs very often. And about your second question: ufw goes in that direction but is not exactly the same as Little Snitch.

>ufw goes in that direction

Which direction? Does it have [plans for] learning mode or even process-based rules?

Outbound, as in you can regulate outbound connections originating from your apps.

I don't run anything like this on my Linux box (just standard iptables), but I was looking for something like this for Windows a while back. The only thing I've really found is Windows 10 Firewall Control:


It's nowhere near as nice as Little Snitch, plus it doesn't block the socket call and then allow it after you acknowledge it. The call will fail and the app has to retry the connection.

Are there any better Windows solutions?

Glasswire looks pretty similar to this. I haven't tried the various paid versions, but even the free one shows a lot of useful stuff.


I use the free version on Windows 10. I haven't tried the paid version yet. I spend most of my time on Linux instead of Windows 10.

It tells you when an app is updated, and when an app is making an Internet connection, and you can shut them off from the Internet if you wished.

try Windows Firewall Control www.binisoft.org/wfc.php

Crossing my fingers that someone knows of an alternative for Linux, but my hunch is, it'll be some crazy iptables scripts or something :/

I was looking for such an app out of curiosity a while ago and found douanne. Never used it myself, but it was open source and had similar features.

This looks promising.

Firejail might be worth a try.

Yes, I would buy a Linux version of this. I use UFW, but it requires a lot of work. A gui with that network monitor would be great.

I'd argue it's sort of… insanely clear, when clicking on the download page, that there is no version available.

I dont click download links until I understand what the product is. It's disappointing to spend time learning about a product and THEN finding out I can't use it. It should be front and center, or have a logo big enough that a quick full length page scroll will show at an instant the platforms available without having to read.

https://obsproject.com/ clearly shows it is cross platform.

https://adium.im/about/ clearly shows that it is not.

I almost wonder if shortsighted optimization of the sales funnel encourages not putting the platform up front since that would drive people away (who wouldn't buy the app anyways, but that's not always apparent).

Either way it didn't cost the website owner much to lead on some people not in their target audience.

I disagree. There are a lot of sites out there that detect your OS and only show you downloads appropriate for your platform.

You are right but it's likely most people wasted a few minutes reading about it before discovering this?

Ah, the price of Running Ubuntu/OSX/Windows....it always bites you in the ass.

This is like the B2B SaaS marketspace - it's almost taken for granted that your app integrates with Salesforce. People are surprised if it isn't.

However, anyone who runs, Microsoft CRM, SugarCRM, Netsuite, etc. - are all used to hearing "Sorry, we don't integrate with X". I'd say ubuntu falls into a similar category....

Would they make more money if they let visitors from other platforms know it's a macOS app? No. That's why.

Look at the download page — it's bolded:

> Runs on OS X Yosemite (10.10) and later, including macOS Sierra (10.12).

It definitely goes both ways :) If anything I'd argue it's much more common for Windows apps to not specify Windows-only, because Windows has been the largest install-base for so long.

And yeah. Annoys the heck out of me too, in both situations.

Would just take a little icon saying so. A lot of dev communities seem to be pretty ubiquitously mac these days. I wonder if it's a side effect.

Yeah, I ended up visiting the site from my Linux machine just to find out if there was some kind of browser sniffing thing at work. Nope, osx only.

I run into this all the time with linux and windows.

Douane Firewall

This is a prime example on how to make a landing page for a product. I understand what you are selling and why I would want it. The product looks great and I think I'll try it out after work.

It's pretty good, but I feel like the screenshots don't really convey the app's value very well. Maps wants to connect to maps.apple.com? Of course it should. Itunes wants to itunes.apple.com? Well, yeah.

I'd much rather see a screenshot of some app trying to connect to a sketchy or surprising domain. I think that would really drive home the app's purpose and make it look less like nuisance that's going to bug me every time I launch Apple Maps.

And that's why I fail to see the value for this.

Does anyone use this for reasons other than blocking license validation checks on pirated software? Because that's the only reason I can think of for getting this.

That was my first use case.

But then I found others, like monitoring my banking websites reaching out to odd domains and ports. Or virus detection (some virii uninstall if they detect Little Snitch). The more I used it, the more I liked it. So I unblocked the Little Snitch license checks and bought a legit copy.

You'd be surprised how many apps try and make requests to ad servers e.g. doubleclick. It's also a pretty good network monitor if you want a coarse profile of which apps are using network badnwidth (and how much).

Whitelist for phone tethering. Use it almost every day!

I use it to lockdown network traffic before my VPN kicks in, and to throttle anything data hungry when I'm tethering.

I'm going to try it right now for controlling what's using data when I'm tethering via my phone.

I use it while tethering so that automatic updates don't start chewing up expensive bandwidth.

Yes. I use this to control what information my Mac sends back to Apple.

My workflow for the first system on a network is to install the OS offline, then install Little Snitch from a thumb drive from a trusted system.

I set it to Silent, Deny All mode and turn off all rules except for the rules that allow software to make (not receive) connections to the local network. Then, and only then, I connect the network cable and try to pull an IP address. If you're using dhcp then this will fail. To deal with that, I create a profile that applies only when connected to my home network and then add an allow rule to let dhcpd/discoveryd (IIRC) to pull IP addresses.

I then try to open up Safari and browse to, say, Google. This will typically fail for two reasons: outgoing DNS queries are not allowed outside of the network and Safari doesn't have rights to connect outside the local network. If my DNS servers are outside of my local network I add a rule to allow the DNS lookup process to connect to only the DNS servers I have defined. I then give Safari allow rules for ports 80 and 443. Both of these rules are added to the home network only profile.

From there, I'll try to access the App Store and sort out what rules are needed for that, adding them and then adding them to my home network only profile. At this point, I'll take a firewall rules backup. Now, if I need to reinstall, I can load this rules backup and be able to browse the Internet, pull system updates, and then evaluate other software that needs network requests.

Software that tries to connect is logged, and each connection is logged. For software that is too "chatty", trying to talk to the network when it shouldn't, I'll add deny rules so they don't spam the failed connections log. Other software will have case-by-case exceptions made for it as necessary.

Generally, all of my allow rules will stay in my home network only profile, but there are a few that I'll always allow out. These are often SSH connections as they should be secure no matter where I'm at.

The only change I would make is to add an additional call-to-action button at the bottom. I got to the bottom and didn't know what to do next and had to scroll back to the top to find the trial/buy buttons.

Did you install or buy it?

Excellent product, but needs some kind of rule sharing feature. There are so many network requests from different components that it can be overwhelming knowing what to allow.

Definitely agree. I like the idea of it, but when I installed it for the first time and rebooted, it fired off so many confirmation requests for various cryptic services I had no idea what they were, I removed it just as soon as I'd managed to click through them all.

Little Snitch is noisy AF for the first day or so, but that's also kind of the point, right? You're running it because you want to know which apps are doing what. Those first sessions are enlightening. Wow, my laptop talks to all the things! That drops very quickly, though, as you tell it "yes, allow Slack to connect to" and "no, don't let Safari talk to sketchy.ru:8765".

I still get the occasional popup, but now they're limited almost exclusively to newly installed apps that I'm running for the first time. That's still an eye-opener: no, I don't see a need for a calculator to connect to Google Analytics. Deny!

Except for gamed, of course. There's no rhyme nor reason to which hosts and ports it wants to talk to. If you ever want to hack a Mac running Little Snitch, call your process "gamed" and the own will allow it through (if they haven't already set "allow connections to any host and port because alert fatigue lol").

It definitely takes some time, effort, and research to get past this initial phase. In the future, I hope they explore more automation / semi-automation around system processes.

Or something like blacklists for known offender programs.

I used to use a competitor, https://www.oneperiodic.com/products/handsoff/. As far as memory serves, it had some kind of rule sharing, but I didn't like it at all (why would I trust rules made by someone else?)

One possible way to do this well would be displaying information about how many people blocked/allowed. Then maybe following the crowd if it is converged enough, e.g. ≥1k votes with ≥95% same decision. But, this might be technically and socially challenging (people who care about this level of privacy may not want to share their rules; you need to make sure that no malware developer can game the system; people need to trust in that).

Therein lies a dilemma: knowing what does what on macOS. I just sit around watching log stream output and wonder why that JPEG is being 'processed' by Safari. But that's another story.

I tried an earlier version of this and was a bit disappointed by the (apparent?) lack of information regarding these connections from applications, since there's so much going on on OS X and it's hard to tell what's legitimate and what isn't. It would be great if we could record traffic on a per-application/process basis and display it comfortably, or even have some built-in heuristics to identify common tasks like "Firefox update check" or "iCloud authentication".

It's very similar to the venerable "Spybot S&D" on Windows (the "TeaTimer" functionality, now apparently called "Live Protection": https://www.safer-networking.org).

Besides the other replys that suggested Research Assistant: Little Snitch is actually able to write pcaps per application so you can then analyze with Wireshark. Killer feature, imo.

Little Snitch 3 has the research assistant thing where you can check each application and process to verify if it's legit against a database.

I have the same thing with system monitors. So many processes for which I have no idea if they're legit.

Usually a google search resolves these questions. However, it is a big problem for when I have a non-technical person using a machine with this tool installed.

I have heard, "I never know what to do when I see these popups." Unfortunately, I don't think the research assistant will help them either.

That depends on your POV. Is iTunes phoning home legitimate traffic? Maybe for some/most, but I certainly block those attempts, to me iTunes is just a nuisance app, like GarageBand and a few others. LS does an excellent job at selecting the vital connections as valid and then let you decide if you want to tell Apple & Microsoft & Friends more or if you actually preferred the OS would not.

I noticed no one mentioned https://www.tripmode.ch/ I used to use Little Snitch before but it was to complex for what I wanted to do, allow disallow internet access to certain apps, tripmode does the trick in the simplest way I've even seen.

Trip mode is nice, but it's pretty darn buggy, and hangs a lot. I also never see any updates to it. Which is frustrating as a paid user.

»TripMode activates itself on networks where you used it before.«

Wow, that's amazing. Apple should buy them and make this feature default :-)

Little Snitch can do this also, called "Automatic Profile Switching".

TripMode doesn't catch all traffic, for example traffic from Arq backups.

Please steal this idea and make a product; I'll be your first paying customer:

Data Loss Protection (DLP) for retail consumers.

DLP (see http://whatis.techtarget.com/definition/data-loss-prevention... for a definition) goes beyond what Little Snitch does and does packet inspection to ensure that credit card numbers (for example) are never sent out from your network / box. Ideally, you can add regular expressions to define other PII that shouldn't be allowed to be sent out (your name, address, etc;).

DLP products exist for corporate use, but I don't know of any lightweight + inexpensive one for personal use.

WireShark, Fiddler or Charles can incorporate this functionality, if I am not wrong. Not sure how one would MITM SSL with WireShark, though.

This requires splicing SSL connections, which requires installing custom 3rd party root CA certificate, which in turn requires complete and unwavering trust in your filtering software vendor.

That is an interesting approach. But the simplest encryption (e.g. a simple XOR) will go around this problem very easily.

The only way to make this sort of idea work reliably is a managed learning approach that creates a whitelist of known-good network traffic patterns, and then only permits those.

A prescriptive signature-based black list, as you point out, is easily fooled with simple obscurity.

Rather, controlling what information software can get it's hands on (focusing on the input rather than output) seems to the only way out? This is what app permissions on phones and applet sandboxing, chroot jails & containers, etc; try to do.

An additional twist that seems daunting (but interesting) is to mark sensitive data at EVERY step in it's processing, with support from the OS and hardware, and never let out tainted data out without explicit permission. See Perl's tainted variables for the gist of the inspiration.

So if a = "User's name", which is protected data, and you do b = a, then b is tainted, too, and write(socket_fd, *b) would pop-up an alert.

All old hat, I bet, to security researchers. I'm just thinking out aloud.

I see what you're saying. So DLP is useful only for naive attempts.

Yes, I worked on a product with a DLP feature we touted yet it would fail to identify credit cards if you put extra characters between sets of numbers.

It sounds good, and because compliance is about by making good-sounding things mandatory (weekly password rotation, yay! /s) it got mandated in a lot of places.

And it did catch mistakes, like accountants sending the wrong files or to external addresses. Which I guess is justification for it right there.

But it's billed as a stronger (ie hacker) protection, for which it's useless, so I never liked it.

I think the world would be safer with an email plugin that helped you by suggesting that you should not send a document to a given address, based on rules and observations. It'd only be a suggestion so nobody would expect miracles, but it'd stop all the unintentional mistakes our system stopped, for a fraction of the price.

Most antivirus suites have that, for example Kaspersky:


>> Furthermore, it’s easy to control file downloads and you can even block the transfer of private data – such as phone and credit card numbers.

Is DLP even effective?

In my experience it either blocks false positives, or lets sensitive information out with the slightest obfuscation.

Try it for yourself - can you exfiltrate anything you like by zipping it up and appending it to a JPEG? I think you'll find you can! (7zip just ignores the image part so you don't have to do anything funky at the other end.)

Not related in any way, Little Flocker[0] is a similar program but for file access. It's a little rough around the edges but has been improving steadily.

[0]: https://www.littleflocker.com

Can it be used to stop OS X Spotlight from putting DS_store in every directory it sees?

Edit based on gumby's response below: can it stop finder from littering in every directory it sees?

Spotlight isn't putting that file there; that's where the Finder stores the directory-specific preferences (window size/position, list vs icon display etc). If you don't use the Finder (which I mostly don't) then you'll never see these files.

Spotlight maintains its own database in /

I have this at the bottom of my .zshrc just for this reason:

  # remove any .DS_Store files
  # (run in a subshell to suppress background job number info being printed)
  ( ag --hidden -u -l -g '\.DS_Store$' |xargs -n 1 rm -f & ) > /dev/null 2>&1

i used littleflocker for a few months and, while it worked really well, it slowed my machine down sooo much. perhaps the newer releases perform better.

The newer releases are much, much faster. You should give it another shot.

why was this posted today? I bought Little Snitch 3 in January 2013. I was thinking maybe this was a new major version but it's not.

Someone probably stumbled upon it and found it useful? Little Snitch has been an OS X staple for a while now, especially for those who were involved in the pirated apps scene.

There's a great Defcon talk about someone breaking Little Snitch:


There's an easy way to break it. Connect to random ports/IPs, so that the machine becomes unusable due to the amount of Little Snitch popups showing up. Until the user gives up and disables it.

"Silent Mode – Decide Later

There are times where you don’t want to get interrupted by any network related notifications. With Silent Mode you can quickly choose to silence all connection warnings for a while. You can then later review the Silent Mode Log to define permanent rules for connection attempts that occurred during that time."

> A firewall protects your computer against unwanted guests from the Internet. > But who protects your private data from being sent out?

A firewall? No kidding, a firewall is not supposed to only block incoming traffic...

The built-in OS X firewall blocks incoming connections only.


I’ve been using this happily for a long time. For those taken back by the endless prompts on the first run: that’s only for the start. Select “forever” for connections you trust and you’ll soon have much less prompts.

On a side note: the developers also have Micro Snitch, an app that warns when the camera or the microphone on your mac is in use.

> On a side note: the developers also have Micro Snitch, an app that warns when the camera or the microphone on your mac is in use.

I did not know that, that's awesome. I'm going to check that out.

link for anyone that's interested: https://www.obdev.at/products/microsnitch/index.html

| Select “forever” for connections you trust

But how do you know what to trust?

Any similar software recommendations for Windows?

Nope, it's quite different from Little Snitch.

They're nice-looking, but don't have anything that even remotely resembles rules. All it can do is deny or allow all traffic, on per-application basis. If you want your email client to talk to only your email server but not anywhere else (as a security precaution) you'll have to use built-in Windows firewall facilities to set up such a rule.

Rule management is coming in v2.0 - or so they say - but it's not yet here.


Outpost Firewall used to be a powerful interactive firewall for Windows, but it's dead those days.

Glasswire is fantastic but the most useful features cost $50, FYI

Is this similar? I installed it long ago and when looking at it, it didn't seem useful, but perhaps I am completely wrong?

Not really anything that equals it, which is a surprise and a shame. The closest thing I've found is Net Limiter 4.


Comodo is super bloated but if you can make it through installation without installing Bonzi Buddy three times it has a nice feature set, for free

unfortunately nothing comparable to little snitch that I could find.

In windows I use the built in windows firewall with WFC[1] to configure it but as much as it gives you a notification when an app tries to connect to somewhere, due to how it works it unfortunately blocks the request first and gives you the notification later, so you always have to retry/restart the offending app unlike little snitch where the app remains waiting while you decide if you want to let it connect or not.

This said I would not use windows without it, these days most applications seem to want to phone home all the time for some reason.

1- http://www.binisoft.org/wfc.php

15 years ago, this was exactly what ZoneAlarm did, unfortunately it seems that it ended up as just another "all-in-one windows security solution"

Not nearly as good, but at least it uses the built in Windows Firewall. https://tinywall.pados.hu/

The issue with Tinywall is it won't alert you when it's blocking apps.

Since a lot of Windows apps are a conglomeration of EXEs just whitelisting the main app is often not enough.

Comodo is WAY more bloated than Tinywall but I use it because I can set it to alert me to everything that tries to access the internet, and choose to block it or not.

I used to use kaspersky for stuff like this a while back. Not sure how that software has changed over time.

ZoneAlarm Firewall ?

How does this work? Does it override the networking DLLs to proxy the socket creation calls?

Like any other firewall... It's a kext (OS X kernel plugin)

Application layer API though OSX.

Those of you who own Little Snitch...do you regularly block outgoing connections from applications you regularly use?

Yes - anything that doesn't need to be accessing the internet. Plus Google things that phone home. It's fun to watch them get frustrated and light up red in the activity monitor as they desperately try to send back metrics.

If you use Google as your DNS server, sometimes various Google services will just send the same requests over port 53 to or instead of the normal IP.

I have blocked everything Adobe Lightroom and its little cloud friends try to do, except on install to validate key. And a bunch of other apps / Apple services. If it wasn't for Little Snitch I wouldn't feel at ease running Mac instead of Linux. For me MacOS is a decent compromise between privacy and convenience because of Little Snitch. (Except that I implicitly add to the problem by accepting Mac in my life, leading by example and all that. Still struggling with that. But I tell myself I have bigger fish to fry.)

Question: Do you use an Android phone? Just saying.... you have much bigger problems on this kind of devices.

> you have much bigger problems on this kind of devices.

Which might be true, but two wrongs do not make one right. I.e., leaking data on mobile devices does not make leaking data on laptop ok.

Question: are you a full-time nudist? Just saying, someone has seen you naked, so why not everyone?

I have used Little Snitch for quite a while, then switched to Hands Off because I liked its interface a bit better and the ability to set a rule that would clear at reboot was a win. I regularly block outgoing connections; tracking attempts by Google, Apple & Microsoft (no PowerPoint, you don't need to check in to Skype at each launch...), limiting a lot of apps to loopback connections rather than full outgoing connectivity, etc.

Another benefit is that once I get over the initial rule configuration hump (and it is a real PITA for the first week or two) what I end up seeing are the anomalies and so I can pay closer attention to what has changed or where something is trying to connect that I might want to think about.

> the ability to set a rule that would clear at reboot was a win

Little Snitch provides that: https://www.obdev.at/Images//littlesnitch/index/more_feature...

> limiting a lot of apps to loopback connections rather than full outgoing connectivity

and that

Yeah, it was there but well hidden and an additional click with the mouse vs. being able to do it easily via keyboard. Small things like this really added up to push me to Hands Off, but I may give Little Snitch a look again if the price for upgrading from 2.0 is not unreasonable...

People do it for pirated copies of Adobe software because of how much it phones home. Do a quick google search and you'll find many sn/crack/warez (do people still use that word?) instructions talk about editing hosts files or installing Little Snitch.

I do it even though I have legal copies of Microsoft Office and Adobe software. It is incredible how often these apps send around data even while I am not using them and have no live.com account.

How did you get around not having live.com for MS Office? I've got the retail box of 2016 for Mac (not the 365 one) and it still required me to make one :(

At every launch, it connects to login.live.com and live.com.akadns.net.

Its a volume license of our university.

if you got official one then you have very limited options :(

I do. I often don't like ms products sending crash information but need those updates. It's manual but something I prefer.

I am always impressed how many connections Microsoft Office for Mac tries to open when starting it.

i block all desktop apps from accessing google analytics. Don't want my desktop activities to be tracked with google analytics.

The Photos app makes requests to some concerning endpoints that I wish they could add a way to disable those features, like "FaceRecognition" or the like. Which it is implied that the iPhone photos app probably does it too.

Not sure what data it uploads but there is no info surrounding this.

Yes, lots. It's amazing what makes (/tries to make) connections over the course of a day.

I'm looking at you Adobe Software.

Yes. Applications only get access to the resources needed to do what I want them to. Sorry, nobody gets telemetry.

It is a bit of a pain the first couple times you run a new app, but settles down fairly quickly. OS X upgrades are far worse - Apple seems to build a dozen new weird little things that want to connect to god knows what every release, and the right answer there is, for instance, `sudo defaults write /System/Library/LaunchAgents/com.apple.gamed Disabled -bool true`

Aside from blocking unwanted telemetry, I have multiple profiles that I switch between depending on the network I'm connected to. If I'm tethered to my phone, I restrict almost all traffic unless it's something I'm using so I can conserve data. The profile assigned to my home network is a lot more open.

Absolutely. Every now and then I have to click a few buttons, but that's OK. I like knowing what installed programs are doing.

Yes, I do, why?

No, I use it for monitoring only.

Little Snitch is at once both great and horrifying. If you watch the day to day stuff that happens on MacOS, you'll see that Apple's reputation for security and user privacy is a pretty low bar. Aside from the constantly pinging Apple defaults, so many third party apps are just all the time phoning home to corporate servers when they're not even in use. Chrome can really just look for updates when I open it, not check in with Google about god knows what every thirty minutes.

Serious question: Can I use only profiles (e.g. no connection until VPN is connected) and the rest of the time Little Snitch should behave like it's not installed? I'm not a big fan of watching every connection... have done this in the distant past with Zone Alarm and Windows and it was more bothering than anything else. I also doubt it increases my personal security a lot.... especially when I think about my normal Android phone which is sitting beside my PC.

Yes, I used to use it and had it set up like this. You create one profile which basically allows only the VPN negotiation daemon to access the network, and then another profile where there is no alerting or blocking.

Your Mac will be very unhappy when on the first profile though - seemingly everything will constantly attempt to call out because it can see an active connection.

I ended up removing Little Snitch because I felt that it was causing instability. I could never pinpoint the issue, but things seemed much more flaky when it was running. YMMV, and I was using it a major release ago so things might be better now.

Thanks for your in detail answer! Makes me think I should probably not invest in Little Snitch.

First thing I install on any new system, couldn't recommend it more!

And the ability to do per-application captures and open them in wireshark is excellent for debugging.

Something like this would be brilliant on Android. Anyone know anything related?

It'd be great if it was for non-root too, but I'm not sure if it's possible.

I've been using NoRoot Firewall [1] for blocking access to the internet on a per-app basis and haven't had any issues with it.

[1] https://play.google.com/store/apps/details?id=app.greyshirts...

That looks really good, thanks!

I assume it works as a proxy?

I think AFWAll[1] is what you're looking for, at least the closest I know.

[1] https://github.com/ukanth/afwall

I think this is not possible by design (every app can go online). Adguard (which is an adblocker, runs without root) is installing a local VPN where you can add rules but I think (but not sure) you cannot distinguish between which program makes this request. So with this local VPN approach you can block certain domains/IPs with rules system wide.

oh maybe you have luck. Just found this: mobiwol http://android.stackexchange.com/a/40926/57180

Little Snitch is a fantastic way for people to shoot themselves in the foot.

Most people using it have no clue what they are doing, block random things, and prevent software from working as expected. Not only this can make things less secure by breaking features such as automatic updates, it also makes developer's life miserable by having to provide support to people running their software in a half broken environment.

Oh Really! what about those malicious developers who want to snoop in and steal our data or bloatware or ad serving compaines who just want to intrude in our system. or what about adobe who runs a fucking system level service to update a simple reader which i want to control when and how to update. One should be in absolute control how the network and data is consumed that to clearly and transparantly


Bad network connectivity blocks random things too; it seems reasonable to expect any supported application to cope.

I absolutely use Little Snitch to block automatic updates of some apps that try to download updates over port 80---I don't trust them to have gotten the authentication right. I'd rather manage those through Homebrew & Caskroom.

Bad network connectivity: 1) is not permanent 2) does not block connections to localhost

I agree with jedisct1

I have and use Little Snitch. It is an important part of my professional toolkit.

But I have run into quite a number of non-programmer, non-sysadmin users who have tried to protect themselves with Little Snitch only to break their computers.

I don't buy this argument. The canonical usecase is to block a program from accessing the internet at all. It blocks updates, sure, but you still end up more secure if there's no network in or out at all. Local applications should be able to deal with running offline.

"Are you using a third-party firewall, such as Little Snitch? If so, please click allow all connections for our app so it can communicate with the server properly."

Or be very explicit in the verbiage: "We are unable to contact our update server. If you use a network blocking tool, please allow access to 'update.example.com'. We guarantee that no personal data is collected.

I wish something like this could run at the router level. I am certain my low-end IoT devices are sending out data I don't know about.

You want to see a warning every time a host in your home network tries to connect to the Internet?

A proper config could easily fix that. Either whitelist certain devices for unrestricted access. Or blacklist devices to have to obey the config parameters. And then parameters for which ports and destinations things should be allowed access to on a per device level...

Which is literally describing a firewall/iptables once you drop the "established" incoming rule and block outgoing.

Basically, "I want a router iptables configurator with notifications"

You only have to see the connection to a server once if you mark it approved forever.

Does Little Snitch catch process injections (ie: I am currently running in EvilMalware, I open up Chrome, create a new page, write my code into it and create a new thread in it), or is it vulnerable to the same problems of Windows firewall applications before LeakTest and the like. The good Windows firewalls now are able to catch this kind of thing.

I think I understand what you're saying (not very technical) but I have used LS for years. I know that I have blocked microsoft word from specific network abilities and tried to open word files that phone home and LS catches those.

Objective Development (the developers) are a nice company, also providing V-USB - a bitbanging USB implementation for AVR microcontrollers without USB support. https://www.obdev.at/products/vusb/index.html

4-5 years ago when I last used a mac for work, there was a program that had an unlimited evaluation period and was just setup to nag on launch (like winzip). using little snitch just blocked the nag (literally the license did was remove the nag, so it didnt affect functionality). In the end, I wound up not using the program anyway - I really was just trying to evaluate it without the nag. For some reason sublime text comes to mind? I think I wound up just going back to vim

Installing little snitch, I got overwhelmed by how much stuff was trying to make calls in and out. It really does serve its purpose, but you also have to have an idea of what you should be letting out, you can easily break things and if you just "allow all" it somewhat ruins the point of having it.

Is there one absolutely similar to windows? Closest i found was GlassWire

I used to use something called Tiny Firewall, was quite capable and similar. Not sure what happened to it.



It works with the windows firewall. Only the registered version allows notifications for blocked outbound connections ($10 "Donation" required)

You could just buy the whole security suite of your firewall program which comes with a firewall probably. For example ESET Cybersecurity comes with a firewall.

I think these features should be included in every OS nowadays, like we have firewalls.

Anyway, I will probably buy this app, even if I share some concern others have about its own network calls.

Has anyone figured out how to stop Google's autoupdate process (ksfetch) from tripping LS nonstop? It spawns multiple new temporary processes when checking for updates, and LS requires a path to a specific process file to block it. This has made LS unusable for me since uninstalling all Google products isn't an option for me.

Little Snitch is great. You need to have a strong understanding of networking and the apps that you use, to use it successfully. It is great at opening your eyes to what apps are trying to connect where, and by catching a cap you can investigate what they are sending.

Long time LS user and love it - yes the constant notifications will tax your Qi but once you've set up the bulk of your rules it'll give you a lot of peace of mind. Also grab Lingon X if you're serious about control.

Is it open source? Couldn't find anything on their site which is disappointing.

I realize that not everything can be made open source, but I personally don't trust closed source security applications.

What's to trust exactly?

It blocks connections to domains/IPs you want it to, and allows others.

You can easily verify that it behaves correctly with common network tools.

This is not some deep cryptography shit...

What if it doesn't show a specific application making requests? What if it chooses to not do that? How do we know?

As I said, "You can easily verify that it behaves correctly with common network tools".

Track its behavior from an exit node of your network and see whether it matches your rules.

Not really much difference than manually checking some tens of thousands of lines of an open source application, or trusting that the binary you got from the repo corresponds to the source (and of course even hashes can be tampered).

Plus, even if it chose "to not show a specific application making requests" you'd still be blocking all others apps, and thus way better off than not having it installed.

I don't trust that it's not doing data collection of it's own.

Funnily enough, I vaguely recall that the crack for an older version involved setting a rule where the app would block its own traffic to their own license server. I'm not sure that validating a license counts as data collection, but still pretty funny IMO.

The app costs $35. I presume this is a workable business for the developer, and therefore little economic incentive for data collection or other backdoor/nefarious tactics.

I'm much less trusting of free software like most ad-blockers where I have to wonder how they're really making their money.

It depends what you mean by "free". Of course all software should be handled with varying degrees of skepticism, but open source software can be directly verified (though this also requires building from source), and you don't have to just hope that the author was honest.

They've also been on the Mac for 10+ years.

Objective Development were there from the very beginning of Mac OS X.

And prior to that, they were a well known developer for NeXT. Their LaunchBar app originated on NeXTSTEP.

exactly. how can one be sure that it doesn't use the network for its own nefarious purposes while hiding its own network activity ?

By checking the traffic leaving your network from another machine? DUH!

Watch network traffic from a box with LS installed.

No, it's a commercial app (and an age old OS X staple, been using it for over a decade).

It's not.

I'm currently using LS, but one of the problems I have is that it doesn't support wildcard domain rules. This means ephemeral hosts quickly build up a large number of rules which soon become redundant.

Yes it does. You click the domain in the popup an change it to the part of the domain you need. Then you view your invalid rules and it will show you which rules are no longer needed.

One day consumer rights protection agencies are going to scrutinize what we are doing in the background just like they're starting to do to ads.

If anyone is looking for a summer application that won't inundate you with so much information, try radio silence

FWIW, I love Little Snitch and have used it for at least ten years.

Protect your privacy by running this proprietary application!

This proprietary application has been under development for almost a decade. While it has had it's share of vulnerabilities as would any application it's age, they've also had that long to develop a reputation in the MacOS ecosystem. I'm no expert on LittleSnitch or Objective Development, the company behind it, but I can't remember any time they've been caught doing shady or unethical things in the time I've been using it (since about 1.x days). The last disclosed vulnerability that comes to mind (CVE-2016-8661), while being a nasty privilege escalation, was responsibly disclosed and quickly dealt with.

On a proprietary hardware, with a proprietary firmware and communicating over a network you don't control end-to-end!

Better don't start thinking about the other end...


You're right! The situation isn't perfect so we should just give up!

...which is deeply installed into your system and has (had) plenty bugs for others to exploit.

i guess it can protect your privacy but also makes your system less secure to advanced attacks. Same thing can be said of AV-scanners.

Little Snitch reminds me of Zone Alarm from back in the day.

This seems like a joke given that it's not open source.

Care to elborate on such bold statement?

This software seems to exist for people who (correctly) don't trust their own computer's software, and want to keep tabs on it.

By distributing Little Snitch as closed source you now need to place your trust in Little Snitch itself.


Vote with your wallet.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact