Is Little Snitch worth it?

Discussion in 'Mac Apps and Mac App Store' started by zooby, Jul 3, 2017.

  1. zooby macrumors 6502a

    Joined:
    Feb 2, 2008
    #1
    I do not have a software based firewall so I was wondering if this app was worth using. I know some swear by it, but I downloaded a trial and was a bit confused as to which processes to allow or deny. I am not a heavy user and mostly use my laptop at home and at my university.
     
  2. SoggyCheese macrumors regular

    SoggyCheese

    Joined:
    Nov 5, 2016
    Location:
    Maybe UK, Maybe Spain, maybe even elsewhere
    #2
    Absolutely it's worth it. Takes a bit of training to get it to the point where it stops nagging you, but remember that you're not the first to go through this process. Google any process name you're unsure about and there's always someone out there to explain what it is. Tailor LS and you can limit each process down to just what you want it to connect to, plus anything new that installs can't connect out at all until you manually allow it, so any nasties on your machine get blocked by default.

    I once caught and identified an infected machine at our place that was horizontally scanning our entire network for other hosts to infect too, all thanks to Little Snitch's prompts about whether I should allow the connection. So it doesn't just protect you, it helps protect the network your machine is connected to.

    Well worth the money IMO.
     
  3. zooby thread starter macrumors 6502a

    Joined:
    Feb 2, 2008
    #3
    First of all, thanks for your reply. Sounds like LS is one of the first softwares I'll have to install right after my next clean install (High Sierra).

    I am semi getting used to it... I guess my main question is - how do I know which connections I should allow? Like, say the Apple processes - do you choose to forever allow *any* connection or just the specific port it wants to connect to?
    Also, you said you identified and caught a bad connection - how would I know or detect this? Like, what are some key things to look out for... will this be coming from an Apple app?
     
  4. KALLT, Jul 3, 2017
    Last edited: Jul 3, 2017

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    The software itself is definitely worth it, but I would recommend against buying it unless you are enthusiastic about using it. As you have seen yourself, the amount of knowledge, experience and work it requires is extensive. A single process (an application can contain multiple processes) can have dozens of connections and there are well over hundreds of processes on a ‘clean’ system that could trigger LS. This number seems to be only increasing.

    The most obvious signs are that the connection comes from a process that is not installed in a system location and that you don’t recognise as software you installed yourself. Malware likes to install itself into hidden locations, which you would be able to spot in this way. However, it is also common for malware to conceal itself by using Apple's nomenclature, so mistakes are easily made. The URL or IP address can be suspicious too, as well as the port. You will find that even many Apple processes will connect to seemingly random hostnames (e.g. for iCloud) and obscure IP addresses. The number of connection requests you will receive will quickly lead to fatigue and sloppiness.

    Honestly, unless you know the system’s directory structure and pay close to attention to where you install software, chances are awfully low that you would become suspicious. It is a tool for dedicated and advanced users. I am using the tool myself and I do have quite a bit of knowledge about the directory structure and its processes, but I am realistic enough that I don’t trust myself to spot any suspicious requests when they pop up. I use it mainly to monitor certain apps and to block undesirable connections.
     
  5. Pakaku macrumors 68000

    Pakaku

    Joined:
    Aug 29, 2009
    #5
    You can always just experiment with denying stuff if you're not sure, and then check if it's breaking anything or not. Eventually you figure it out after enough tinkering.

    If you're installing on a fresh machine, there shouldn't be any malware or bad connections taking place, in which case it should be safe to allow any immediate connections the Mac tries to make. Once that's set up, you can start adding apps you would normally use, and then work with LittleSnitch as it picks up anything.

    Websites tend to be about allowing connections to names that match the website name (like cdn.macrumors.com for here), learning about what 'global' names are okay (like cloudfront.net and denying pretty much everything else. If something breaks, just try disabling denied rules one at a time until it's functional again.

    After a month I tend to go through my rules and set stuff to All Applications. It doesn't work for Safari as far as I know, because it uses something else to connect, but it handles nearly everything else.
     
  6. jlfree634 macrumors newbie

    jlfree634

    Joined:
    Nov 24, 2016
    Location:
    Texas
    #6
    I've used LS for about 4 years now. It is worth the purchase.
     
  7. zooby thread starter macrumors 6502a

    Joined:
    Feb 2, 2008
    #7
    Thank you guys. I am gonna try to learn more about LS. I kinda want to start over though, since I researched a bit more about it. Final question - for processes you "trust" forever, do you allow on the port/site or any connection?
     
  8. allan.nyholm macrumors 6502a

    allan.nyholm

    Joined:
    Nov 22, 2007
    Location:
    Aalborg, Denmark
    #8
    Don't bother using Little Snitch. It's mainly used by those pirating software that wants to stop the pirated program from connecting to the activation server for said program. It was like this in the past and I doubt it has changed. Security might have a thing to say here. Or Nagcurity.

    With that said - I've used it after some 3rd party apps getting more and more in the zone about sending data off of my Mac to their servers and diagnostics department. I dislike that trend. Am I going to hunt every checkbox in every app to tick that off so that no data is sent? No. Little Snitch can give you a heads up on those particular apps. But it's just not worth it having to spend most of your adult lift deciding to allow or deny a connection of which there are so many.

    I also tried the Hands Off! app and the ones from https://objective-see.com/products.html - none of which does anything for me. Objective-See does have good apps that hooks onto the OS - but I would rather enjoy my time with my Mac and macOS than waiting for that popup of allow or deny. I want Apple to let their OS send off diagnostics - but if I don't I find that spor in the System Preferences and turn it off.

    I wouldn't bother installing Little Snitch. But these days security is in the high seat. Can you avoid any attack from the Internet with Little Snitch? Possibly. It's the approach to the interface of Little Snitch I dislike the most. The never ending growing list of apps and services piling up in the Little Snitch Configuration. The newer Little Snitch 4 looks rather nice interface-wise. Some new things that might get me more inclined to use this app in the future. Basically I'm all over the place with opinions and have no clear agenda other than to perhaps dive in and experience Little Snitch yourself.

    Before someone comes in and says "But what about ransomeware" Yes that is a problem. Little Snitch can help you not get ransomware? I try to not think too hard because of my dislike for thinking too hard about potential threats.
     
  9. zooby thread starter macrumors 6502a

    Joined:
    Feb 2, 2008
    #9
    I agree... It really does need to make it more user-friendly and not just a program for advances users. I do like it, but it is getting annoying. Interesting how you say that about those pirated apps. Do they actually connect to the server for activation? I was under the impression a lot of those were cracked and just ran without needing to connect to the server. Probably dangerous to download them though - too risky and may be filled with malware.
     
  10. allan.nyholm macrumors 6502a

    allan.nyholm

    Joined:
    Nov 22, 2007
    Location:
    Aalborg, Denmark
    #10
    It's sometimes this and sometimes the other. Our well-known friends over at Adobe is having a blast right about now. I just thought I'd mention it since (Little Snitch) is -(or was - one or the other ;) ) described in every type of that particular software's readme.txt

    It's very convoluted and I'd like to take this moment to withdraw myself from further talk on software that is of the not-legal kind as it is against forum policy.
     
  11. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #11
    I would advise against using Little Snitch or similar software. It's very questionable if software firewalls really provide additional security. On the contrary, they may actually add additional attack surfaces to the system. For example, last year on DEFCON there was a presentation on how a bug in Little Snitch could be used by malware to gain higher system privileges:

    https://www.theregister.co.uk/2016/08/03/mac_firewall_littlesnitch/

    (if you are interested in the details, the original presentation can be found here).

    He also demonstrated that Little Snitch could be easily bypassed by malware. This is a fundamental issue with software firewalls. If your system has already been compromised by malware, you cannot rely on any software running on that system for security.

    At best you can hope to prevent some applications from sending telemetry back (although it will often be difficult to separate telemetry from legitimate traffic). But I'd argue it's better simply not to use applications from developers that you don't trust.

    For security, you're better off to utilize what the OS has to offer: Use a non-admin user account for your regular work, make sure that SIP is activated, and always get software installers directly from the source or from Apple's store.
     
  12. posguy99 macrumors 6502a

    Joined:
    Nov 3, 2004
    #12
    Little Snitch isn't what you think you mean when you say "software based firewall". You most certainly *do* have a firewall... the one built into OS X. Software like Little Snitch could be more accurately called a filter. It monitors connections outbound from your machine.
     
  13. campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #13
    LS is worth it IMHO, but not as a SW-based firewall - also don't waste your time reading about the now-year-old exploit in Rigby's link that was an issue for only a few days (https://reverse.put.as/2016/07/22/s...oiting-a-critical-little-snitch-vulnerability) that was fixed even before the originating post was published. Citing old news isn't helpful, and it isn't relevant to LS today.

    The firewall built into OS X should be sufficient for most use and there's plenty of online resources on HT set it up and why. Your modem and/or router also have a built-in firewall utility and you should spend time familiarizing yourself with its capabilities.

    I use LS, but only to determine which apps are "phoning home" after an install, and I disable LS after I'm either comfortable with an app's behavior or have fenced in that new app. I do not recommend LS for those not needing granular network monitoring.
     
  14. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #14
    Oh my. It was an example. Can you guarantee that there are no further vulnerabilities in it? Do we have any idea how thoroughly the maker of this software tests and hardens it?

    Generally, every piece of software that runs with elevated privileges and/or uses kernel extensions potentially increases the attack surface.
     
  15. Pndrgnsvc, Jul 5, 2017
    Last edited: Jul 8, 2017

    Pndrgnsvc macrumors 6502

    Pndrgnsvc

    Joined:
    Jun 13, 2008
    Location:
    Georgetown, Texas
    #15
    Little Snitch 4.0 was just released. The DL and install were without issue, but am still plowing through all the (numerous) changes. So for now, can only say it appears that a great deal has changed.

    BTW: US $25.00 paid upgrade.
     
  16. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #16
    Hmmmm.... I see that High Sierra requires LS4. I purchased LS3 recently and I am expected to pay for an upgrade. I hate money grubbing devs so ObDev can bite my backside, they won't be getting any extra money from me. Anybody else thinking about a purchase should consider carefully, do you want to support a dodgy developer and possibly find yourself in the same boat as I?

    In answer to the OP's thread title....'No'.
     
  17. KALLT, Jul 5, 2017
    Last edited: Jul 5, 2017

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #17
    I got around to trying version 4 today and it actually has some helpful opt-in filters for Apple and iCloud services. This can help a lot in the beginning.

    This is rubbish. Version 3 existed since 2012. If you had bought it then, you would have gotten 5 years of support. They even give existing customers a 50% discount for version 4. This is just tough luck. If it wasn't that long ago, you should contact them.

    That is the case for the built-in application firewall too. It is always a trade-off. However, this developer seems to be quick to respond to security issues and has been around for almost as long as macOS itself. I give them the benefit of the doubt.

    It is not just about trust, it is about reclaiming choice. It is becoming increasingly difficult to control tracking and telemetry, in my opinion. I do not want to stop using software that works for me, just because I disagree with the developer’s privacy policy.
     
  18. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #18
    You seem to have missed the point I purchased version three recently. Decent developers have a grace period whereby recent buyers can get a free upgrade. I don't know what theirs is but it's less than four months.

    So not rubbish, not tough luck, crappy money grubbing developer. If they think I'm going to pay again for software because my version immediately becomes incompatible with High Sierra than get stuffed. Fool me once shame on you, fool me twice shame on me.
     
  19. campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #19
    I'll respectfully offer a chill pill solution, as an owner of LS 3. I purchased multiple licenses of LS 2, no long before LS 3 was issued. The dev offered recent LS 2 purchasers a free upgrade a couple of weeks after the LS 3 app hit the interwebs. The dev is and has been very responsive to their buyers for several years now - don't judge just yet and drop them a message, they've without fail always returned my messages…

    I received S/Ns for LS 3 from them within a few days of my inquiry. No issues since.
     
  20. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #20
    I didn't like how they reacted to the bug discovered last year. Rather than calling it what it was (a vulnerability for which a real exploit existed) and assigning it a CVE number, they downplayed it ("rare issue that could cause kernel panic"). And yes, of course Apple's system software is also at risk. But we know that they put significant resources in testing and security.
     
  21. Digital Skunk macrumors 604

    Digital Skunk

    Joined:
    Dec 23, 2006
    Location:
    In my imagination
    #21
    If you're an average user then Little Snitch is a bit overkill if you're just worried about security. It's nice to have a filter (as one user said above, it's not simply a Firewall) when you're in places with heavy traffic, but simply taking the time to practice good habits will help. For instance, if you have an iPhone connect through that instead of a random open network in some public place. Stick with trusted networks, and the combination of your built in Firewall and theirs will help keep you secure.

    Little Snitch worked best when I had to maintain the servers and networks for multiple systems and subnets. LS allowed me to see what was going in and coming out, block connects, shut them down, prevent connections (to Facebook for instance or YouTube ... I was a low-level network manager for various newspapers and such), and provide logs for which system went where, when, and for how long, etc.

    LS for basic security and to act as a Firewall really is a bit much. It'd be like using Final Cut Pro to make a 4k GIF.
     
  22. SaSaSushi macrumors 68040

    SaSaSushi

    Joined:
    Aug 8, 2007
    Location:
    Takamatsu, Japan
    #22
    Actually 25 Euros ($28.50 USD at the moment). Just bought my upgrade. I love Little Snitch. I want to know what apps are establishing outgoing connections and to where. For this purpose I know of no solution as elegant and painstakingly crafted as LS.
     
  23. ziggy29 macrumors 6502

    Joined:
    Oct 29, 2014
    Location:
    Texas
    #23
    Depending on how recently you bought LS3 (especially within the last 30-90 days), I'd contact the developer and ask about it. It's not uncommon for people who bought *just* before a new paid upgrade to be given a free upgrade. Usually they seem to "cut off" between about 30 and 90 days prior to release of the new version.
     
  24. Tech198 macrumors G4

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #24
    I wouldn't say Little Snitch is worth it for everyone, (if you know what you are doing you cleanly may not need it unless, u start making mistakes more often), but its handy tool to know what connections are being opened behind your back. eg... if u only use software you need, and not install anything just because..... then not required.

    I started using it ages ago, but then found later, my own intuition is better :D
     
  25. zooby thread starter macrumors 6502a

    Joined:
    Feb 2, 2008
    #25
    Gotcha! How does this work say I am on a public wifi say at a cafe? Like, what is a good practice? I had no idea that simply connecting to one was that dangerous... man, I am very behind.

    I do not have a built in firewall... or are you referring to the Mac firewall under settings? Cause as far as I know, that is only one kind of connections, not the ones LS shows.

    I don't have any pirated software, if that is what you are referring to haha.
     

Share This Page