Internet Access Policy
In Little Snitch 4 we’ve introduced a new Internet Access Policy (IAP) standard, allowing third party app developers to bundle a policy file with their application containing information about the Internet connections their program is about to establish.
This gives developers the opportunity to describe the purpose of these connections, why they are necessary and why it’s recommended or necessary to allow them.
With Little Snitch 4.0.4 we’ve extended the policy format to allow providing dedicated information about potential consequences when denying a particular connection.
Whenever you choose to deny a connection via Little Snitch — either in the connection alert or in Network Monitor — we now display that information helping you to make a better informed decision.
- Little Snitch now includes Internet Access Policies for several Apple processes shipped with macOS.
- Fixed an issue with localized IAP files.
- Added support for Markdown-style links.
- Blocked connections are now indicated in the map with a red flashing connection line.
- Significantly improved performance when handling large amounts of connects.
- Improved performance in case of large file downloads.
- New action: “Show Recently Used Rule(s)”. Accessible by holding down the Option key while right-clicking a line in the list.
- Fixed an issue causing heavy flickering of the map during zooming or panning on macOS 10.13 High Sierra.
- Fixed locations on Little Snitch Network Monitor’s map being drawn too large on macOS 10.13.
- Fixed: The menu bar did not respond immediately after opening the Network Monitor window.
- Fixed: Network Monitor no longer flashes connection lines that are currently invisible due to filtering.
- The data rate display in the inspector pane now respects the Bits/s vs. Bytes/s user preference.
- The experimental “Handle Connection Attempts in Monitor” preferences option has been removed.
Code Signature Check Improvements
- Fixed an issue that could incorrectly lead to a connection alert indicating a code signature mismatch between a running process and an existing rule.
- Fixed an incorrect message “Incoming Connection Denied due to invalid code signature” being shown, usually for the process
- Improved a confusing code signature mismatch message in connection alert when the bundle identifier of the connecting app changed.
- When a rule is created using the connection alert’s “Deny Any Connection” button (only shown in case of a code signature mismatch or an invalid code signature), that rule is now permanent instead of “Until Quit”.
- Fixed an issue where a deny rule labelled “override due to code signature issue” could inadvertently be turned into a permanent allow rule.
- Fixed an issue where the connection alert would show that an XPC process’ parent app had no code signature. This would happen when the parent app was already terminated at the time when the XPC process tried to establish a connection.
- Improved handling and presentation of code signature issues.
- Improved help text of rule suggestions covering multiple connection attempts.
- Improved handling of incoming ssh connections.
- Improved handling of denied incoming connections.
- Improved display of connection alerts on small displays.
- Improved creation of diagnostics reports.
- Improved protection against malware attempting to modify Little Snitch.
- Improved reliability of showing connection alerts in cases where a process only opens a connection, but never actually sends or receives any data.
- For improved privacy the Little Snitch configuration file is now saved in an encrypted format.
- Fixed a vulnerability where the process name in Little Snitch Configuration’s rule inspector could be constructed to execute as a shell command. Security impact: If users follow malicious instructions, they can enter a text string in Little Snitch Configuration which is unexpectedly executed in a shell under the user’s privileges. Not exploitable from remote or by local processes.
- Added a preference option allowing to choose whether OpenVPN remote servers should be distinguished or not.
- Added “Port 22 (SSH)” to the port popup list in the rule editor of Little Snitch Configuration.
- Due to a bug in macOS, applications may hang for a while when they attempt to show animated graphics. Little Snitch detects when important components stop responding and used to generate diagnostics info. Since this further slowed down the machine, we no longer generate these diagnostics and simply restart the affected component.
- Fixed a rare kernel panic.
- Fixed an issue when choosing the “Once” option in the connection alert.
- Fixed an issue related to handling connections via VPN.
- Fixed a rare crash of Little Snitch Network Monitor that could occur when an app would use a network socket in an unusual, but still correct way. This could happen when using the PS4 Remote Play app.
- Fixed a kernel panic by making Little Snitch’s kernel extension more robust when other third party kernel extensions overwrite memory that belongs to Little Snitch.
- Fixed outdated message in installer log when boot cache update failed due to a full Recovery HD.
- Improved detection of which app uses an XPC helper.
- Fixed some unexpected but harmless messages from the kernel in the system log that would occur only on MacBook Pro with TouchBar.
- Several other bug fixes and improvements.
For improved privacy the Little Snitch configuration file is now stored in an encrypted format. When switching to the encrypted format, a backup of the old, unencrypted configuration file is made. If you prefer to have only encrypted configuration files stored on disk, we recommend to remove any unencrypted backup files. Their filename contains a date and timestamp, and they are located in the following folders:
/Library/Application Support/Objective Development/Little Snitch/
~/Library/Application Support/Little Snitch/
To open these folders you can use Finder’s Go to Folder… command (⇧⌘G).
Since this version stores all configuration files in encrypted format, previous versions cannot read them. If you downgrade, all your rules and preferences are lost. In order to prevent data loss, this version makes a backup of your configuration at
/Library/Application Support/Objetive Development/Little Snitch/configuration_<dateandtime>.xpl before encrypting. Previous versions can restore from this backup via Little Snitch Configuration > Rules > Import from Backup….
Alternatively, you can make a backup of your configuration even in the new version (via Little Snitch Configuration > Rules > Backup…) and restore it after downgrading. Backups are not encrypted in order to keep them backward-compatible.