Harmless Systems

There is no such thing as harmless software.

Little Snitch

Your very own network informant.

Little Snitch Network Monitor

If you're running macOS and interested in gaining more insight into the outbound connections made by apps on your computer, then Little Snitch might pique your interests. Little Snitch has three different modes of operation, the most useful (and also most overwhelming) is "Alert Mode" which prompts you whenever an application makes an outbound request, pausing the application until you either approve or deny the request. Your decision will be remembered whenever the application attempts to make the same type of connection in the future.

Why is that functionality useful? Well, like some of the best debugging and troubleshooting tools, it often asks more questions than it answers, such as:

Why is Docker Desktop attempting to make http connections while idle, even though I have "Automatically check for updates" and "Send usage statistics" disabled? Perhaps more attempts to "improve" the user experience?

Little Snitch alert for Docker

Why does the HP printer driver installer need to connect to Google Analytics? Hint: It doesn't. You can safely block requests such as these and often the application will still be functional.

Little Snitch alert for HP Easy Start

Why does the Last.fm Desktop app make requests using port 80 instead of 443?

Little Snitch alert for Last.fm Desktop

Let's dig into that last one a little more and capture the network traffic using the packet capture functionality built-into Little Snitch. Click on the Little Snitch icon in the menu bar and select "Show Network Monitor", then context-click on the application of interest and select "Capture Traffic of ..."

Little Snitch network traffic capture

This will give us a pcap file we can view with a tool such as Wireshark.

Oh wonderful, that's an API key being sent over plain-text http. Hello, CVE-2019-19251!

Configuration Tips

Being interrupted by a prompt for every network request can be quite frustrating but if you tweak just a few settings it can be much more tolerable.

After installing Little Snitch, click the icon in the menu bar and select "Silent Mode" this will allow all connections until you get the configuration set.

Enable Silent Mode

Click on the icon in the menu bar once more and go to "Little Snitch Preferences", from there go the "Alert" section.

Alert Settings

Detail Level: Set this to "Show Port and Protocol Details" this allows you to set fine-grain rules as-needed.

Rule Lifetime: Setting this to "Until Logout" or "Until Restart" is a safe way for you to block or allow requests that you're unsure about, when you logout or restart your computer the rule is no longer active and you will receive the prompt next time the connection is attempted.

Domain or Host: Set this to "Full Hostname", it doesn't hurt to have as many details as possible. For example, to distinguish between an app connecting to api.company.com or analytics.company.com.

Port and Protocol: Set this to "Specific" for the same reason as above. You may want an app connecting to api.company.com on port 443 but not on port 80.

Confirm with Return and Escape: I highly suggest unchecking this option as shown in the screenshot. On more than one occasion I accidentally approved or denied a connection while typing because I hit the Return or Escape key when an alert took keyboard focus.

After you've set these options, click on the Little Snitch icon in the menu bar again and set it to "Alert mode". You will start to get alerts pretty quickly after enabling it.

Example Alerts

Here's an example alert from opening Microsoft Remote Desktop for the first time:

RDP example

I'm not sure why it would be necessary to make an https connection to use RDP, I suspect I can block this, but I just need to get some work done, so I'll keep all the defaults and blindly Allow the connection. I'll likely see this alert again in the future and if I have more time I might try blocking it to see if it prevents the app from working.

Firefox example

The above screenshot is a great example of an alert you should only ever see once.

Because I always want Firefox to make https requests, I've changed the drop-down from "Until logout" to "Forever" and I've chosen the more general rule of "Only TCP port 443 (https)". Now, I'll never get an alert when Firefox makes a connection on port 443 (https). But I will receive a notification if Firefox makes a connection to port 80, 8080, etc.

Blocking all connections to port 80 is a great companion to using the HTTPS Everywhere extension and while using a hosts file blacklist such as StevenBlack/hosts to block requests to undesirable domains that use TCP port 443 (https).

Living with a Snitch

After a few hours of normal usage, you should have created a decent ruleset that you can continue to tweak over time. You may be shocked and annoyed when you discover all of the outbound connections made by applications that you use every day (looking at you Google Chrome!), you may even stop using those applications and find an alternative. This insight is invaluable and is so far, my favorite macOS app to date.

A discussion of firewalls for macOS would not be complete without mentioning Objective-See's LuLu, an Open Source firewall with some competing features. We'll try out LuLu and compare it to Little Snitch in a future blog post!

Note: Harmless Systems is not affiliated with Objective Development or any of Little Snitch's authors, we have not recieved any compensation for this blog post.