Skip to content(if available)orjump to list(if available)

Little Snitch feature nobody knows about

Little Snitch feature nobody knows about

50 comments

·January 24, 2025
Visit

amendegree

Someone created a similar extension for chrome called little rat[0], it needs to be installed in developer mode bec chrome doesn’t allow extensions to interact with each normally.

[0] https://github.com/dnakov/little-rat?tab=readme-ov-file

noahjk

I was using a similar extension which whitelisted / blacklisted IP addresses in Chrome. I had it set to blacklist my home IP, which I paired with an in-browser VPN app. Since Chrome's latest extension update (about 3 weeks now?), I've had Chrome send requests to pages which were open before the extension loaded, leaking my IP. I assume similar issues could happen extension-to-extension, so this shouldn't be used for any privacy-related reasons - can't trust a Chrome extension to block 100% of anything.

cipehr

I haven't used little snitch in nearly 15 years... I love all the security focused apps that objective-see puts out, and they have a Little Snitch equivalent "LuLu".

Does anyone know if the same thing can be achieved with LuLu? https://objective-see.org/products/lulu.html It looks like it can but I haven't used it yet.

magic_smoke_ee

Then you don't have control or visibility over Apple or third-party apps sending analytics likely without your approval.

LuLu has a fatal flaw: it drops or closes TCP connections randomly resulting in dropped SSH sessions. No amount of TCP keepalives on the client- or server-side will resolve this. This makes it a non-starter for anyone doing anything real.

Also good:

- BlockBlock - disk access application "firewalling" on top of macOS'es privacy & security settings is very good

- RansomWhere? - ransomware process mass file change interception

- ReiKey - input interception monitor

- ProcessMonitor, DNSMonitor, FileMonitor, TaskExplorer, KextViewer, NetIQuette, Dylib Hijack Scanner, KnockKnock

- Oversight - webcam and audio hijack monitor (although I use ancient EOL Growl + Hardware Growl just to catch hardware events too)

- No longer useful or usable: Do Not Disturb, LuLu

zikduruqe

You can go to settings and then lists to put in your custom blocklists.

OptionOfT

I currently don't have a Mac, but could we do an MITM inspection to see what is requested and responded?

Since this is a Google domain I wonder if Apple pins the certificates.

I am currently battling a bug on iOS where blocking mask.icloud.com & mask-h2.icloud.com leads to Mail 'checking for email' for a long time. But I can't inspect what is requested. And supposedly, this is the way to prevent iCloud relay: https://developer.apple.com/icloud/prepare-your-network-for-...

lapcat

Do you have Protect Mail Activity or Hide IP Address enabled in Mail Privacy Protection Settings?

OptionOfT

No. That's all disabled. In fact, after x minutes the mail comes in.

Also, I tried replying with NOERROR and NXDOMAIN. Neither work.

fmajid

It could also be downloading the database of known malicious sites from Google Safe Browsing:

https://transparencyreport.google.com/safe-browsing/overview

lapcat

No, that's safebrowsing.googleapis.com

MaxwellsDaemon

My guess was a favicon for the search window

lapcat

What search window?

midtake

> The trick is to use "via" in the Little Snitch rule. When you're creating the rules, enter the full file paths of the two processes, separated by "via".

Everyone who has used homebrew knows this one.

KORraN

Well, here's me, so not everyone.

lapcat

Was this supposed to be a joke? It's not a good joke.

hk1337

It's been some time since I have used Little Snitch and I never really got all that deep into it, so what I am thinking may already exist.

It would be nice if you could import a text or config file of standard things to allow/block. A general format that people could post, fork, edit, their own variations. Something akin to stevenblack/hosts providing a base list of hosts to block but the list is categorized as well as could be customized.

Another, probably better example, is something that could be saved in a dotfiles repository. You can share it with others but also if/when you need to setup a new computer, you don't have to start have completely fresh with Little Snitch.

lapcat

It does have this now, blocklists: https://help.obdev.at/littlesnitch6/concepts-blocklists

1vuio0pswjnm7

It's amusing to hear of a software developer just beginning to block ssl.gstatic.com in 2025 when other folks have been denying access to ssl.gstatic.com and various other unnecessary domains for many years, years before Little Snitch even existed. The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not. Funny.

lapcat

> years before Little Snitch even existed

Little Snitch was first released in 2003. Unfortunately, your comment is a stereotypical example of the worst of Hacker News, both condescending and ignorant.

In any case, it's unclear exactly which version of Safari and/or macOS started the specific behavior noted in the blog post. Moreover, as the blog post also notes, it's problematic to deny ssl.gstatic.com across the board, because that causes website breakage.

> The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not.

This is a gross mischaracterization of the blog post, the title of which literally starts with "Little Snitch feature". I'm certain that nobody knew about the feature (matching an associated process with "via"), because the Little Snitch developers themselves weren't aware of it until they reviewed the implementation.

fragmede

https://xkcd.com/1053/

philsnow

I had thought that maybe it was pre-warming a connection so that when the user searches for something, it saves a network round trip and seems faster, but probably not if it’s to a static domain.

hernantz

Is there a similar software for linux?

perihelions

OpenSnitch

https://hn.algolia.com/?query=opensnitch&type=all

kreyenborgi

I use this. The first week was weird and scary until I had accepted the rules I needed for my daily usage, now it's been weeks since it's said anything (and I had to check that it was still running but it is).

E.g. running the android emulator was enlightening :-S

jazzyjackson

This looks similar, Safing Portmaster

https://github.com/safing/portmaster

kylehotchkiss

Interesting! I see this not so much as a feature people would use to make their own rules but a good feature for those creating lists of rules, like in this case "Un-Google my Mac"

rustc

If using Google Fonts without explicit informed consent is a GDPR violation then this surely is too?

tom1337

You've probably agreed to that somewhere in the Terms Of Service and therfore gave consent

rustc

From what I've read online, that would not be enough.

According to https://gdpr-info.eu/issues/consent/

> Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

Declining terms of service will affect the outcome so it can't be considered "freely given consent".

lcnPylGDnU4H9OF

It seems GDPR authorities don't think like that. There's probably a reason OP included "informed" in their comment.