Little Snitch 4 gives deep insight into server connections from apps

Objective Development’s Little Snitch is your best defence against software that goes out on the Internet not only for updates but sometimes for snooping too. Little Snitch 4 is a firewall, network filter and network monitor that now lets you drill down easily into connections up to individual server level. It comes with a gorgeous interface that shows you where those servers are geographically based.

Little Snitch 4 is still in beta, but on my machine, I have yet to encounter the first bug. The app looks gorgeous and is better than ever. Actually, that’s an understatement. I have been running Little Snitch 3.x for over a year now and the new version looks like it’s an entirely different app. It offers more information on a level that even network laymen can understand, while network aficionados will have a lot more to “play” with.

Little Snitch 4 shows you the actual servers by (DNS) name an app tries to access on a map in real-time, with connection lines drawn between your machine and the ones being accessed. It has an assistant that will explain what behind-the-scenes macOS daemons like nsurlsession are for. And it enables you to allow or deny connections — and create associated rules — on a per-server basis inside its idiot-proof environment.

And that’s only the Network Monitor. From that Network Monitor, you can now create and edit rules, with the easiest way to set them up having the app allow everything in Silent Mode and afterwards decide which of those rules you want to deny after all. The Network Monitor is the one that will catch your eye instantly because of its brilliant and innovative design, but the Configuration and Rules creation modules have undergone major refits too.

The Research Assistant, for example, is not just accessible from the Network Monitor view, but also from the Little Snitch Configuration screen. It makes it a lot easier and simpler to decide whether you’re not going to mess up your system in any way by denying access to connections.

Connection alerts are now smaller by default. If you need more information, there are two minimal design icons to get more info. They can also be minimised to defer the decision whether to allow or deny a connection.

The information you got on connections with Little Snitch 3 used to be IP-based. Little Snitch 4 uses an improved method: DNS name based traffic filtering using Deep Packet Inspection. This gives you a real insight into the servers an app is connecting to. For example, I found out that some apps will try to connect to Doubleclick servers when launched after I installed Little Snitch 4. With the previous version, I could only detect the app communicating with a whole bunch of IP-addresses. On a busy day, I didn’t have time to look them all up on the Internet and on calm days I didn’t feel like it. With Little Snitch 4, I can deny Doubleclick access, but allow the servers that are responsible for updating the app nevertheless.

New features that improve security and clarity

Another new feature is code signature secured filter rules. Apple’s own apps all work with connections that have these. Some apps don’t have them and that justifies closer inspection because you’re unsure if the app won’t hijack your Little Snitch rules to gain full access to your Mac.

When the code signature of a connecting process is invalid, the connection alert now offers additional options for dealing with this situation. In that case, the automatic confirmation of the connection alert is suppressed.

The rules in Little Snitch Configuration now has an info sidebar that shows whether a rule requires a valid code signature and a new suggestions filter lists all rules that could require a code signature from their processes but currently don’t. Obviously, you can turn this feature on and off at will.

Little Snitch 3 offered profiles for different usage scenarios. Little Snitch 4 adds to that an improved way of working with them, but I haven’t had a chance to play with them — I haven’t been using them in version 3 because I saw no need, but that may change with version 4.

The new Silent Mode is a boon too. You might choose to run Silent Mode for a while, then later create rules for connections that occurred during that time. An application’s connections shown in the connection list are now displayed grouped by domain, making it easier to create rules that match an entire domain instead of just a single host. But it’s still possible to drill down to the host-level of each connection. Connection information is persistent across restarts of the application.

A new “Since Timestamp” filter allows to temporarily clear the connection list and show only connections that occurred after the filter was turned on.

The Research Assistant is not only accessible from Network Monitor and from Little Snitch Configuration, but also delivers more and better information. However, how good it will be depends on third-party developers. They can now bundle their apps with an Internet Access Policy file containing descriptions of all network connections that are possibly triggered by their app. Little Snitch will then display that information to users, helping them in their decision how to handle a particular connection. A description of the policy file format will be provided soon.

I guess only developers who don’t sneak in server connections like Doubleclick will want to bundle their app with these files…

The new Silent Mode is tightly integrated with the Network Monitor. It can be used as an alternative to regular connection alerts, which some users may find too intrusive, especially after a fresh installation of Little Snitch with very few filter rules in place, causing connection alerts to appear quite often.

When Silent Mode is active, a user notification is shown when a connection got silently allowed or denied. This happens only once per application, so it’s actually better to drill down to the server level to see whether there aren’t any server connections you want to allow anyway, but it all depends on what you want out of Little Snitch. If you prefer completely silent operation, you can even turn off these notifications.

Connection alerts less intrusive and more automation

In Little Snitch 4’s Preferences, you can now choose the options that will be applied by default when a new connection alert is shown. It’s also possible to choose if the created rule shall be effective in the current profile or in all profiles. Connection Alerts now also have an “Only local network” option if a connection attempt was made to an address in the local network. In addition, you may want to minimise the alert window. Instead of confirming a connection alert immediately, you can minimise it into a small overlay window and postpone the decision whether to allow or deny the connection.

The context menu of a minimised connection alert even offers a “Keep minimised” option. Subsequent connection attempts will then also be collected in the minimised overlay window. A counter shows the number of pending connection attempts.

The new Automatic Silent Mode Switching option lets you associate a profile with a particular Silent Mode. Whenever the profile gets activated, the corresponding Silent Mode Switching is performed.

For example, when I’m writing an article, I don’t like being distracted by alerts, so I could create an “Editing” profile for use with Ulysses that automatically turns on Silent Mode in order to prevent connection alerts from appearing when I’m writing.

There’s even more to Little Snitch 4 than I mentioned here, but I think I have covered the most important new features. I can only say that, if you care at all about your Mac’s integrity, security and privacy, you need something like Little Snitch. Version 4 of this venerable app is Little Snitch as we know it now on steroids, and it’s worth every cent of its €45 price.

Advertisements