derek fong wrote:
Ole wrote:
I cannot confirm this. I installed widget update today and LS
detected
its connection attempts correctly.
Ole
Am 30.10.2005 um 16:06 schrieb Saad Kadhi:
Hi there,
I downloaded Widget Update [1], a widget that checks if there are
any
updates for the other widgets installed on the Dashboard. Widget
Update was able to access the Internet [2] and I am 100% sure I
didn't
see any alert from LS regarding this access.
Hi,
It all depends on how the widgets communicate with the Internet and
how
you've set up your rules. Since Little Snitch works on the basis of
allowing or blocking network access to specific applications, it's
possible to inadvertently grant full access to more applications than
you bargained for by using the Always allow connection rule on a
trusted application.
For example, many applications (not just widgets) use a program called
cURL, which is an open source application that helps alleviate from
developers most of the heavy lifting associated with talking to web
and
FTP servers, among others. (cURL is included in the default Mac OS X
installation - open a Terminal window and type man curl or curl
--help.)
Now, let's say Application A uses cURL to perform an up-to-date
software check. You trust Application A and are annoyed at always
having to confirm that you want to allow network access to it whenever
it performs a software update check, so you decide to always allow
outgoing web traffic.
However, along comes Application B which also uses cURL, but uses it
instead to phone home to its developers to let them know details of
your
machine, IP address, passwords, etc.. Since you previously granted
always allow to cURL, you would never see Application B's connection
attempt.
Incidentally, this is not theoretical -- I have a number of shareware
and even commercial applications and system preference panels
installed
on my system that rely on cURL to talk to the Internet, and you
probably
do, too.
Maybe this is obvious to the more tech-savvy among us, but I think
it's
an important point to make if it hasn't already been made elsewhere.
What would be nice in a future version of Little Snitch is for it
to be
able to differentiate between what applications call these helper
applications (such as cURL) so that granting an application full
access
to cURL won't necessarily give unfettered access to another
application
that uses cURL behind the scenes. In the meantime, remember that
Little
Snitch is just another tool in your security arsenal and that it can't
prevent all mishaps from occurring..
Thanks,
-f
Thanks for clarifying that. I indeed had curl to allow all network
traffic and wasn't aware of this potential issue. So thanks. Are
there any other usual subjects like curl?
Ole
___
Littlesnitch-talk mailing list
Littlesnitch-talk@obdev.at
http://at.obdev.at/mailman/listinfo/littlesnitch-talk
