Block subdomains?

General discussions about Little Snitch
christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Wed Mar 17, 2010 9:07 pm

Rules with wildcards in host names are of course on our to-do list.

However, things are not as simple as it may seem. It's easy to have contradicting rules when each rule includes many IP addresses. When we make the next major update to the filtering engine, we plan to add wildcard rules and a mechanism which copes gracefully with contradictions among rules.

paulc
Rank 2
Rank 2
Posts: 62
Joined: Fri May 22, 2009 7:13 pm

Re: Block subdomains?

Post by paulc » Wed Mar 17, 2010 9:21 pm

Excellent.

You do realize, customers can get testy when they feel their requests seem to go into a black hole...

mutant
Posts: 8
Joined: Wed Jul 15, 2009 3:41 am

Re: Block subdomains?

Post by mutant » Wed Mar 17, 2010 11:18 pm

christian wrote:Rules with wildcards in host names are of course on our to-do list.

However, things are not as simple as it may seem. It's easy to have contradicting rules when each rule includes many IP addresses. When we make the next major update to the filtering engine, we plan to add wildcard rules and a mechanism which copes gracefully with contradictions among rules.


Thank you. I think you should lock the thread and make it sticky.

cec772
Posts: 6
Joined: Wed Mar 17, 2010 4:52 am

Re: Block subdomains?

Post by cec772 » Thu Mar 18, 2010 2:54 am

That is music to my ears.
Your response is much appreciated.
I realize it is not as simple as it would seem, and am happy to know it is on your radar.

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Thu Mar 18, 2010 11:49 pm

It seems that many people want this feature in order to block ads, something like *.my-favorite-ads-site.com. When we support wildcards in domains, you might be disappointed that they don't always do what you expect.

Let me give an example: One of the top ads providers is Google. You might want to block *.googlesyndication.com or something like that. You test it and it even works in the first place. Ads are blocked and you can still search using www.google.com. But what you should know: Google has no dedicated servers for ads. They use the same server pool for all of their services. Yes, pagead2.googlesyndication.com resolves to a different IP address than www.google.com. But that's coincidence. Google's name servers return one IP address from a big pool for every request. It's likely that the first request for pagead2.googlesyndication.com returns a different IP address than the second for www.google.com. But that's not certain. Subsequent requests for both names return different IP addresses each time and after a while (maybe days or weeks), Little Snitch has seen all IP addresses of the pool for both names. Since Little Snitch's low level filter operates on IP addresses, it can't distinguish pagead2.googlesyndication.com from www.google.com any more. The deny rule for *.googlesyndication.com would eventually block access to all other google services as well. Something you probably don't want.

So my question to all who want wildcards in rules is: Do you still think that wildcard rules are the solution for your problem? If not, what do you want to achieve? Is there a better way to achieve it?

[Those who understand the argument above may note that the problem already exists even without wildcard rules. That's true. However, only very few people use Little Snitch for blocking services with IP pools as described above, mostly because it's hard without wildcard rules. The problem is therefore very rare. When we add wildcard rules, it would become more evident. And even worse, it's very hard to explain to the average user what's going on.]

timelessbeing
Posts: 9
Joined: Fri Dec 25, 2009 11:44 pm

Re: Block subdomains?

Post by timelessbeing » Fri Mar 19, 2010 2:12 am

So there's no way to block traffic coming from a certain host name? In other words, if 2 pieces of data come from googleads.com and google.com, and they resolve to the same IP, there's no way for LS to distinguish between the two?

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Fri Mar 19, 2010 2:21 am

If the mapping between host names and IP addresses is unique, Little Snitch works as everybody would expect and you can block traffic for a certain host name. However, if two or more names resolve to the same IP address, the same rules apply to both names. You can't have different actions for two host names which resolve to the same IP address.

paulc
Rank 2
Rank 2
Posts: 62
Joined: Fri May 22, 2009 7:13 pm

Re: Block subdomains?

Post by paulc » Fri Mar 19, 2010 2:13 pm

Ah, very interesting.

Thanks for taking the time to speak with us... especially when misconceptions may be involved. I'd still want to have wildcards (most of my rules are of the allow variety, so now I could have a few less of them), but now I have a better understanding of what that CAN mean.

So aside from feature request issues, it really is helpful if someone from ObjDev occasionally joins in the discussion.

timelessbeing
Posts: 9
Joined: Fri Dec 25, 2009 11:44 pm

Re: Block subdomains?

Post by timelessbeing » Fri Mar 19, 2010 6:10 pm

The devs are correct about the IP pool problem.

I know that at least once, I have tried to block certain sites I didn't want, and ended up blocking some service I DO want. This is especialy true when you use ranges (ex. 12.34.0.0/16) to block whole swaths of IP's.

I am wondering if there's a way for LS to remember the hostname that data was REQUESTED from, and use that to block the data answered to that request, but I think that would get rather complicated.

To answer christian's question about what I want LS to achieve, yes ads are a big thing. Also sites that try to collect information about my surfing. You've all seen it before... you visit your favourite website, and LS begins to report traffic to half a dozen other sites that have nothing to do with it. Another thing is applications that "call home" other than to check for updates. Basically, I want to deny anything that is unnecessary or sneaky.

LS is a great low-level tool for blocking specific traffic, and I like that. It gives you control, and oversight. It is not ad filtering software. There are more sophisticated programs for that, like AdBlock. (personally, I'd rather ignore a few ads than use up more hardware resources). Many of you should also be aware that Firefox has ad blocking capability, and it's pretty easy too. Right-click any image and it gives you an option to block all images from this site, by adding it to a blacklist. I'm not 100% sure, but I think it also does wildcards. Unfortunately, most ads are now Flash, which makes blocking more complicated.

cec772
Posts: 6
Joined: Wed Mar 17, 2010 4:52 am

Re: Block subdomains?

Post by cec772 » Sat Mar 20, 2010 12:52 am

How easy is it to detect that kind of conflict?
Hopefully you can tell when it occurs,
then pop-up a different dialog for the user asking how it should handled for that domain....
(ask / ignore / allow and probably default to 'all applications' ....)

That seems like a simple way to manage it from a user's perspective.
(good luck figuring out a way to implement it...)

Of course if you can't detect the conflicts, or only after you notice odd behavior
there isn't much opportunity to that.

cec772
Posts: 6
Joined: Wed Mar 17, 2010 4:52 am

Re: Block subdomains?

Post by cec772 » Sat Mar 20, 2010 1:14 am

christian wrote:It seems that many people want this feature in order to block ads, something like *.my-favorite-ads-site.com.
.....
So my question to all who want wildcards in rules is: Do you still think that wildcard rules are the solution for your problem? If not, what do you want to achieve? Is there a better way to achieve it?


I'm more interested in wildcards to allow, rather than block....
For example, Dropbox uses a bunch of subdomains
(So far I see up to dl-client42.dropbox.com),
I'm constantly getting dialogs because I'm hesitant to give it free access to any connecton.
I would trust it enough to allow *.dropbox.com,
but I would want to know if it is going to any other domains outside of dropbox.com.

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Sat Mar 20, 2010 1:22 pm

Thanks for the feedback so far!

Regarding conflict detection: Yes, that's easily possible. However, users who don't have a technical background find that Little Snitch is asking too many questions already.

Consider the following situation: You want to have your work done, something which costs all your concentration. Then Little Snitch pops up a window and asks you whether application xy may connect to server abc.com. You don't want to think about this in detail and choose whatever you think causes the least trouble for the moment. And then, when you want to get back to your important work, Little Snitch pops up a conflict window. You don't know what a conflict is and it's in fact not easy to understand. Little Snitch offers a text which explains the situation, but do you really want to read AND UNDERSTAND it now? And you must give an answer in order to continue your work...

timelessbeing
Posts: 9
Joined: Fri Dec 25, 2009 11:44 pm

Re: Block subdomains?

Post by timelessbeing » Sat Mar 20, 2010 9:47 pm

In regards to the conflicts, why not have one option in the preferences that says "In case of conflict: Allow or Deny" ?

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Mon Mar 22, 2010 1:27 pm

Sounds reasonable, if we make the choice allow/deny/ask. Thanks for the input!

norbert
Objective Development
Objective Development
Posts: 648
Joined: Thu Nov 09, 2006 6:30 pm

Re: Block subdomains?

Post by norbert » Mon Mar 22, 2010 3:02 pm

Let me add that a preference setting may raise other problems, though.

The behavior of Little Snitch may become unpredictable or unexplainable in some situations.

Imagine the following setup:

- Allow www.google.com
- Deny www.google-analytics.com
- Preference Setting: Deny in case of conflict

In the beginning everything works fine. Both hostnames resolve to different hostnames, so there's no conflict.

But after a while, Google delivers a new IP address from its pool for www.google.com that was previously delivered for www.google-analytics.com. Now, since there's a conflict, and due to the "Deny in case of conflict" preference setting, Little Snitch all of a sudden would silently deny all connection attempts to www.google.com for no obvious reason.

Post Reply