Beware that Little Snitch and other similar network filter extensions leak your IP address to the remote server even if there's an explicit block for that server.
The blog post is mentioned in the first linked article. Needless to say I fundamentally disagree with Apple's decision* - If I explicitly install a firewall, I want it to actually function like a firewall and not let some packets through. The overhead explanation seems a bit like a stretch.
* It's actually not clear whether this is a feature or a bug. Apple never responded to the bug report (FB12088655).
Yep. It's not/wasn't a VPN or DNS proxy but more of an host-side application firewall specifically to control apps' use of outbound connections. If you need pristine infosec, then you need something else and probably public WiFi too.
I used to use LuLu and Little Snitch but LuLu nondeterministically dropped packets and connections causing ssh to drop and navigation problems in the browser, so I had to remove LuLu.
No longer using MacOSX, but this was definitely one of most useful and usable security tools ever created. Especially in a time, where more than half of all the anti-virus or firewalls you would get were just snake-oil.
I even got a nice bug bounty, because I discovered that a popular program pulled it's updates via HTTP and executed the downloaded executable directly thereafter.
I love the inclusion of DNS here, as that was a major pain point on version 5. Currently on MacOS you can only use a single network filter, which Little Snitch is, so you couldn't use an encrypted DNS service easily in addition to Little Snitch. This made it an instant purchase for me (and it works).
I seem to recall the past paid upgrades being timed to release with new macOS versions, but this one comes out ahead of WWDC in June, where presumably a new version will be unveiled. Is this related to the network filter extensions, so there's no longer the same risk of OS version incompatibilities?
An issue that's not unique to this developer, is that I'm having trouble determining what their update policy will be regarding the now previous version. Based on their past procedure, I'm not expecting it'll work with the next major macOS version, but it would be wonderful with clearer expectations on what types of bugs or security issues (if any) they commit themselves to fixing after the new version is out.
https://lapcatsoftware.com/articles/2023/6/3.html
Perhaps just VPN + little snitch is your best bet if you're still worried
* It's actually not clear whether this is a feature or a bug. Apple never responded to the bug report (FB12088655).
Would be good to get an official answer from Apple if this is won't fix or coming as a fix in a future release.
That link is for Apple engineers. Feedback reports are not public. They're only accessible by the reporter and Apple.
I used to use LuLu and Little Snitch but LuLu nondeterministically dropped packets and connections causing ssh to drop and navigation problems in the browser, so I had to remove LuLu.
From 3.0 to 4.0 and then to 5.0 were €25 each. This is a 56% uptick in price.
But price of upgrade went up higher comparing change to the app pricing.
I even got a nice bug bounty, because I discovered that a popular program pulled it's updates via HTTP and executed the downloaded executable directly thereafter.
When at home, I point the router to DoT non-logging servers and clients use the router for all domain resolution.
Which begs the question: is there anything similar for a Windows machine? Or for a Linux-based one?
An issue that's not unique to this developer, is that I'm having trouble determining what their update policy will be regarding the now previous version. Based on their past procedure, I'm not expecting it'll work with the next major macOS version, but it would be wonderful with clearer expectations on what types of bugs or security issues (if any) they commit themselves to fixing after the new version is out.