HomeBrew Users?

General discussions about Little Snitch
Netsec4me
Posts: 1
Joined: Sun Jul 23, 2017 10:13 am

HomeBrew Users?

Postby Netsec4me » Sun Jul 23, 2017 10:17 am

Hey all,

This might be a better post for the homebrew repo, and I'll open up a ticket there as well, but wanted to see if anyone here who uses homebrew on their mac along with LS4? If so, do you install (not compile, but bottled) any formulae that are 'internet-facing'? For example-python, git, curl ,etc. (something that, when used, would trigger a LS connection alert).

If so, does anyone else's LS complain about the formula (git, curl, etc.) lacking a valid code signature? GIven this new security feature it seems counter-productive to ignore the warning issued by LS, but at the same time, I get the warning for every single program i download that faces the internet.

Anyone else has the same problem?

Thanks

ctwise
Posts: 12
Joined: Tue Apr 14, 2009 3:19 pm

Re: HomeBrew Users?

Postby ctwise » Tue Jul 25, 2017 12:31 am

Command-line programs built by Homebrew don't have cryptographic signatures. So Little Snitch is going to (rightly) complain about their lack. But there's nothing that can be done about it.

Xipper
Posts: 5
Joined: Sun Mar 15, 2015 1:30 am

Re: HomeBrew Users?

Postby Xipper » Thu Jul 27, 2017 7:59 pm

It would be nice if LS would at least do a SHA/md5 hash of the binaries and store those and use that to validate the binaries haven't changed since rule creation...and if it does change prompt the user so that they can approve/reject the rule being updated with the new hash. Path and file name matching is not secure by any means, and there will always be some code that goes unsigned (unless Apple wholly blocks unsigned binaries from executing in the future).

flo23
Posts: 1
Joined: Fri Sep 29, 2017 10:14 am

Re: HomeBrew Users?

Postby flo23 » Fri Sep 29, 2017 10:23 am

It would be nice if LS would at least do a SHA/md5 hash of the binaries and store those and use that to validate the binaries haven't changed since rule creation...


Yes please! Although I would recommend a hashing method that is not officially declared "insecure".

I love Little Snitch, but version 4 is so annoying for all developers who use a lot of command line binaries. Also the UX is quite bad if it allows to create "Allow always" rules for binaries without a valid code signature, because I as a user think I created that rule. But the next time the binary attempts to connect to some server the alert shows up again and my created rule won't even be considered by Little Snitch, because of the missing code signature... In this case I think it would be better to clarify to the user, that those rules have no effect.


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 11 guests