Apple apps do bypass NEFilterDataProvider (used by application firewalls like Little Snitch), and the per-app VPN mechanism (using NEAppProxyProvider). Thus, per-app VPNs can't be applied to Apple applications, but per-app VPNs were never intended to globally intercept traffic. Claiming that Apple apps bypass (all) VPNs in Big Sur is deceptive - they only bypass per-app VPNs that were never intended to cover all system traffic in the first place.
Traditional VPNs that cover the whole system and route traffic based on destination IP (such as OpenVPN in UTUN mode) use the Packet Tunnel Provider in Destination IP mode. To the best of my knowledge, global VPNs routing based on destination IP (ie. non per-app VPNs) still route traffic from all applications, including Apple ones.
You are correct. I tested several of the normal ‘whole-system’ VPNs on Big Sur last week when this misleading headline came out and Apple traffic was correctly routed over the VPN in each case. (Both the built-in macOS VPN client and third-party tuns such as Viscosity, etc.)
My testing was not a comprehensive assessment of macOS-compatible VPN services and my selection was biased towards breadth of implementations disregarding all other criteria. It would be inappropriate for me to recommend any of them as I did not assess for quality of app, support, billing, or privacy.
If it adds a default route to your routing table when you connect, it's fine. If it offers fancy per-app traffic rules, it's probably not fine.
Ah, you're right, I missed something. None of my comments explain my testing method. I apologize; this was present in an earlier draft of the initial post and got lost along the way. The question asked was only "Which VPNs did you test?", not "What was your methodology", and I didn't catch the absence of the latter until you asked that in reply.
In summary, for each VPN app, I connected to the VPN and then wiretapped my computer to see if it originated unencrypted network traffic to any Internet destination other than the VPN while operating a variety of core macOS services on the exclusion list, such as Software Update and App Store.
In each case, I was able to witness Apple traffic on the VPN network interface but not on the Ethernet interface below it.
For anyone testing Mullvad, please keep in mind that they make use of the macOS packet firewall layer in addition to the usual VPN network interface, which may complicate my testing procedure if followed stringently as there might not be Apple traffic on any interface, VPN or not, in that scenario. Mullvad context is in another post: https://news.ycombinator.com/item?id=25116863
APPENDIX: Note that, as far as I can determine, existing TCP connections were not reset onto the VPN when it was connected. Since I was inspecting all traffic, not just Apple traffic, I ended up having to restart Slack a couple of times just to get it to switch over to the VPNs. I would imagine this should be studied more closely, since it was a surprise to me.
Their question could be confused by others as it's phrased. "my methods" includes both the VPNs I tested, and how I tested them. They correctly observe that I withheld all information about my methods, rather than only the component I intended to.
Someone else who didn't realize that I'd left out the methodology could possibly interpret their question as confused/misplaced/etc. I definitely wondered about that at first, but I took the good faith approach:
Because we are not owed anything by HN commenters. Floatingatoll posted what they wanted to post, and they have no responsibility to post anything more than that.
If you or I think there should be recommendations of which specific VPNs properly route Mac app traffic, then you or I can do our own tests and post our own comments with those results and recommendations.
I'm definitely frustrated that so many people (in top-level comments on HN, especially) are taking for granted some random Internet post without verifying it, but that's no excuse for the missing methodology.
The problem is per-app firewalls used to be able to block all apps/traffic equally. Apple then deprecated/discouraged the KEXT mechanism these firewalls used in favour of NEFilterDataProvider which, as you described, is clearly an inferior solution.
You can't claim that these apps were not meant to do the very thing they used to do until Apple made such operation effectively impossible.
I'm talking about VPNs, not firewalls. This article (and people in general) are claiming that Apple applications bypass VPNs, and falsely implying that system-wide VPNs are no longer possible in Big Sur. NEAppProxyProvider was never meant for system-wide VPNs. NEPacketTunnelProvider, the system-wide VPN mechanism (when used in destination IP mode), continues to route system-wide VPN traffic, including that of Apple applications.
I'm not denying that NEFilterDataProvider is an inferior solution for per-app firewalls like Little Snitch, compared to their previous kernel extension.
I think you're right, the article definitely oversteps its bounds and ends up claiming that Apple apps can bypass all VPNs and firewalls. The correct summary of the situation is probably the first tweet in the article:
> Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running
But then the article sloppily goes on to say:
> What Wardle found is that the Mac App Store on the latest macOS bypasses any firewall.
The PF (BSD Packet Filter) firewall built into Mac OS covers apple processes. However, I don't think its interfaces are sufficient to implement the functionality of Little Snitch. The new-ish NEFilterDataProvider API used by Little Snitch on Big Sur is neutered by allowing Apple apps to bypass it.
Per-app VPNs have existed for some time, and their use case is different from system-wide VPNs. Typically, per-app VPNs are used when you want to grant specific applications access to resources on say a corporate VPN, without granting all applications access to the VPN. Per-app VPNs are also useful if you want to protect a specific app's communications through an encrypted tunnel without affecting the rest of the system.
If you're serious about using a VPN, I strongly recommend getting an OpenWRT capable router and setting up your VPN there. Some benefits:
- It's physically impossible for your devices to bypass the VPN.
- It also works with devices that have poor or non existent VPN support (e.g. Roku, smart TV, etc.).
- You only have to configure it once vs having to configure it on all your devices.
- You can easily and quickly toggle the VPN by switching to a Wifi that doesn't have VPN setup.
I've been using GL.iNet's travel routers for many years and can't recommend enough (no affiliation other than being a customer). Just ordered their new Beryl router[0].
Unfortunately the web is harder and harder to use with VPNs. So many websites just completely block you for using them, including etsy and Craigslist off the top of my head.
This has to be a false statement. Some sites blacklist subnets they believe to belong to VPN services, that's true. No web site has the information to know the difference between a tunneled packet and a non-tunneled packet. They could try looking at MTU but then they'd block all sorts of "legitimate" traffic due to use of PPPoE and so on inside ISP networks.
I assume you mean a "Proxy as a Service" when you say "VPN," right?
Without that focus, web sites would have a lot of trouble identifying IP traffic routed over a personal VPN from any other traffic. I suppose they could just block entire clouds, for those who run VPN servers on AWS, Azure, et al. But that would cause a lot of other problems.
I just route all of my devices through a single node I run at one physical location that appears like a genuine client node. I've never seen anything blocking it.
The one specific example I'm aware of is Delta Airlines seemingly blocking traffic that exits from my Digital Ocean droplet running OpenVPN... a service that, annoyingly, I mostly use when I am traveling and on public access points.
Is this true for self-operated VPNs? I run an openVPN instance on an old laptop in my apartment that also handles a pi hole instance and a minecraft server -- I'd think that any "VPN blocking" could apply to VPNs as a service, but not a VPN that I rolled and hosted myself.
You never get captchas and other annoying "security" measures when using openvpn? I get them all the time, but I assume that it's because the IP addresses are from mullvad and not as trusted as your ISP. What you have is a good setup for working in various untrusted environments but it's not the same for those people who do torrenting or say skipping past oppressive governments where they're trying to be anonymous via VPN.
I'm self-hosting a VPN server on Digital Ocean, and whenever I'm using it, some websites notice that my IP address belongs to a hosting provider, so I start to get lots of CAPTCHAs. So yes, at least Google and Cloudflare detect that.
IP addresses are assigned in blocks, and these blocks are assigned to registered companies - Long story short you can roughly determine whether an IP address is from a datacenter or is "residential" without too much issue - All DigitalOcean droplets are given IP addresses within DO's range for example.
Basically if the IP is from a datacenter - it's likely a VPN.
And for sites with a lot of traffic, you probably don't even need an external subscription, you can deduce the ranges yourself simply by checking for IP addresses that wind up having logged-in users from all over the world in a short time frame.
Pretty easy to do accurately with a short set of heuristics.
Many geo-ip services also offer VPN or server detection (e.g. is the IP in one of the EC2 ranges).
In a previous job at an online gambling company we found that a large percentage of fraudulent user accounts came from VPNs so ended up banning them at the geo lookup stage.
Also some non-web services can act weirdly with them. In my personal experience Google's voice to text including Assistant commands and transcription often just fails to go through, or takes tens of seconds to get a response over a VPN.
> You can easily and quickly toggle the VPN by switching to a Wifi that doesn't have VPN setup.
I feel like "quickly" and "easily" a little overstated. Then again, this is someone who is willing to install their a separate firmware on a router, so...
Once you have it set up, toggling it would just involve connecting to a different SSID. That's pretty quick and easy; two or three mouse clicks in most OSes I've used.
Yes, setting it up in the first place may be fairly involved.
Second this. I have the same router and it's extremely easy to setup, and it supports Wireguard out of the box, which I love for its simplicity.
It has a simple interface on top of openWRT, for non-experts like me. Support is a bit crap as it's all in Chinese but it works like a charm.
I have to chime in with a third; I have been very happy with my AR300M from the same supplier for the last CPI years and I am planning on a new one from them soon.
I used my router for this purpose until recently. It was difficult to keep up with updates, partly because openwrt versions for my router lagged other versions for long periods.
I replaced my router recently and changed my strategy. Now the router is only a router (and firewall of course).
I have a raspi sitting next to it providing the wireguard vpn. This is easy to update and everything actually works better than in past. I attribute a large part of that to wireguard over openvpn, though...
I've done that a few months ago on an ubiquity router. Two VLANs, one with normal access and one with a Wireguard tunnel into my self hosted dropplet that also runs pihole. Works like a charm.
> I strongly recommend getting an OpenWRT capable router and setting up your VPN there
Double it, OpenWRT functionality beats any production router firmware. Bought Linksys some time ago, now searching a cable to flash OpenWRT on it 'cause original firmware feels crazy dumb.
It's better to go with something like a $150 Intel NUC running pfsense (free) to connect to the VPN because the vast majority of Wi-Fi routers don't have enough CPU to decipher 256bit AES encryption in real-time. Once you fire up the VPN on even a top-tier router, you're likely to see your overall connection speed drop to 15 mbit/sec or less. A cheap NUC has no problem doing 256bit AES at 200+ mbit/sec.
No, it is not easy. It is messy, the codebase is showing its age, configuration is a nightmare, and throughput overall is pretty shit with so many layers of unoptimized linux piled ontop of hardware that was never optimized to handle this type of packet generation and mangling.
> and throughput overall is pretty shit with so many layers of unoptimized linux piled ontop of hardware that was never optimized to handle this type of packet generation and mangling
That's a very broad generalization. I use a https://pcengines.ch/ based router with openwrt and mullvad as my VPN and performance is very close to non-vpn traffic.
Sure, if you run your VPN on bad hardware you might get bad performance but that is not true for everyone.
I'm almost never looking for all my devices to be going over VPN. Rather it's generally one one device at a time and even within that I'd often prefer it to be one app at a time. I have run a VM with the VPN only running in the VM but the overhead of the VM itself is not worth it.
I've tried this approach but often i would find traffic going down - especially YT and occassionaly router would crash. Frankly it's like 5 years old now. Are there any modern routers easily handling VPN?
In my experience, stay away from consumer routers and a lot of these sorts of issues go away. Even something as simple and inexpensive as Ubiquiti is miles ahead of anything in the consumer space. I haven't had a router issue in years. And I use VPN every day.
Except, what’s crazy is that they do. I have an ISP-provided Xyzel C1100 modem, and sometimes it does just randomly crash and take about a minute to reload if we’re doing to much. I’d buy a good DSL modem, but it happens just under the threshold where I’d buy a $100 modem to fix it.
how do you do that for a multiple VPN setup (for work obviously) and that would need to route the connection to different devices, while working only during office hours and take into account the usual MFA crap?
>It's physically impossible for your devices to bypass the VPN
It's not true. There are bugs and vulnerabilities, some of them can be exploited remotely. OpenWRT is no exception here. Better than many maybe, but not invulnerable.
And please, let's stick to professional terminology and call these "VPNs" what they are - transparent L2/L3 proxies.
Bugs and vulnerabilities are an ever-present thing. You don’t really need to mention them when making a statement like the parent’s.
Also I don’t think your terminology is really all that helpful. These services are literally VPNs. Trying to make a distinction doesn’t really add anything when VPN is already an established well understood term. This just adds confusion when there are already L3 proxies.
Everyone upvoting this, please read the (now) top rated comment and take a step back to think about how this line of thinking is destroying our society right now. If something fits your world view (Apple is evil) you stop looking for more evidence and join your tribe. Feels good, but only helps to spread misinformation.
The top rated comment is also misleading. This functionality (filtering Apple app traffic using Little Snitch) used to be possible before Apple made it impossible. The fact that you can still route Apple app traffic through a system-wide VPN doesn't change that a bunch of more-selective firewalls/VPNs have effectively been nerfed by Apple's actions.
So yes, Apple is in the wrong.
Edit: The article headline is technically accurate (if a little clickbaity): "Apple apps on Big Sur bypass firewalls and VPNs". Yes the do! Not all firewalls. But they bypass some of the most popular ones, like Little Snitch.
I mean, I'm not close to Little Snitch's development but I'm pretty sure they used to use a kernel extension. Kernel extensions are deprecated but they aren't going anywhere anytime soon since it seems like Apple just built a brand new kext loading system to handle static kernelcaches
Totally irresponsible. There is no way I can understand this policy. Impossible.
What, are they working with someone? Five eyes? China? Spain? The Soviet Block?
Honestly, this is either utter imbecility or straight ill-will. There are no greys here. At all. When you do a think like this either you are stupid or you DO know the risks and are OK.
Great: now people in Hong-Kong cannot use Big Sur because they should be afraid of the apps they are using.
In the Vault 7 leaks, Little Snitch was something specifically mentioned as being difficult to circumvent. Now, the ability to bypass it is baked into the OS:
> Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.
Also very relevant that VPNs seem to be illegal in China.
And Apple forced the hand of Telegram to shut down the channels revealing the names of Belarus police.
> Also very relevant that VPNs seem to be illegal in China.
How illegal are they currently? When I lived there, they were illegal too, but still everybody would use them. There was always a difference between "illegal by law" and "really illegal".
The judiciary is not independent, so it's a moot point anyways. VPN use will just be used as another signal that you are possibly an enemy of the state.
Probably only as a means to get you in to charge you for other things, kind of like using "click it or ticket" used by cops to pull you over because you "look suspicious" and they're bored and want to do a full car search because "they smelled something".
> while China does have data privacy laws, there are broad exceptions when authorities investigate criminal acts, which can include undermining communist values, “picking quarrels” online, or even using a virtual private network to browse the Internet privately.
Sadly, that's the flipside of our strategy of telling authoritarian governments that they should follow rule of law. China made laws that obligate data companies to share the data with the CCP. So Apple must comply. All according to the law.
Remember that we have no idea whether Windows and Intel processors with IME (and AMD processors since Ryzen ?) don't have built-in backdoors (And Macs have been using Intel exclusively for years now, haven't-they ?). So nothing very new here, really...
It's still in use for DRM though apparently, and so long as it still runs, and so long as we still can't audit it, it isn't trustworthy from a strict privacy perspective.
Being somewhat aware of current affairs in Spain and having dealt with Spanish administrations' digital services and platforms in multiple different contexts, I would be honestly very surprised if they were able to unilaterally agree any kind of deep backdoor conspiracy with a large tech company–let alone effectively implement it.
I dont now why. this is has been apple's stated position for a long time and the primary reason they are moving to ARM for the Mac, to make them more iDevice like, meaning you do not own the computer, they do, and you can only use it in a manner they (Apple) allows and bless.
Apple has been moving away form the professional / hacker market for a long time, they want to sell to normal consumers and could give a shit less about the pro or hacker market.
Apple has benefited immensely from developers building apps for their iDevices. Apple in their infinite wisdom decided that such apps must be developed on a Mac.
Making apps is not super profitable, most apps don't make enough revenue to support even 1 full time developer.
If they turn the Mac into a toy computer that developers can't use then it will affect the app ecosystem.
Besides the general hand waving that doesn't mean much ("make them more iDevice like", "you don't own your computer, they do") which doesn't say anything, the parent is talking about this particular decision.
As for "you don't own your computer, they do", what it translates to is: "The OS places certain restrictions that work and make it safer for the large majority of users, but might not give full tinkering abilities to everybody". Which you never have (full tinkering ability) in a closed source OS, anyway.
While "we bypass firewalls for our domains" can be thought of in the same vein ("we think it's better and safer for most users to work this way, and leads to less head-scratching why X Apple service doesn't work etc"), it's not exactly the same.
Apple can go towards the "no tinkering direction, it's a device that just works", without disallowing preventing user firewalls from blocking Apple domains (provided of course the user understands that by blocking them they get no iCloud and other services).
>Apple has been moving away form the professional / hacker market for a long time, they want to sell to normal consumers and could give a shit less about the pro or hacker market.
On the other hand, the pro market (video, music, graphics, office, programming, writing, data analysis, etc) shouldn't have workflow issues with what Apple did, and the hacker market is small (and has never been a target market).
I think a large amount of people will disagree that these OS restrictions work or make it safer, but that is really besides the point
There is a HUGE difference between passive secure defaults, which a normal user will never change, and active blocks / overrides that can not be removed.
An example of this is iphone vs android store policy, by default on Android you can not install untrusted APK's or other stores, however inside the phone there is a simply way to disable this block. This is an example of a passive secure default. Where on iPhone it is simply impossible to disable this block
One OS (android) is respecting your ownership rights while protecting the normal users, the other (iOS) is asserting their ownership over the device.
Surely you can see the difference
it is clear that apple intends to bring this type of Active Ownership control to the Mac ARM platform, this is just the first step, a warning shot if you will, of what is to come
>There is a HUGE difference between passive secure defaults, which a normal user will never change, and active blocks / overrides that can not be removed.
Yes. That's why I think while this change is OK as a default, it's problematic to not be overridable -- and even if it was just a default it should be communicated clearly as a change, so those affected (e.g. people relying on VPN under some regime) know about them.
Those people are not the typical user case, but it's an important consideration still.
>An example of this is iphone vs android store policy, by default on Android you can not install untrusted APK's or other stores, however inside the phone there is a simply way to disable this block. This is an example of a passive secure default. Where on iPhone it is simply impossible to disable this block
One problem with this duality is that people will disable the block, and then complain plus have their info/data and those of others compromised etc, when they install malware at the first BS prompt that tells them to do so (to get some cool new game or some pirated stuff).
That is, it's not just those "knowing what they do" that will bypass those kind of defaults....
Apple chose to go with the "Most people don't know what they're doing, and if we allow it they will do it anyway", which is a defensible position. You use their OS knowing that they do that.
But this change now, was not the same kind or communicated as well.
>it is clear that apple intends to bring this type of Active Ownership control to the Mac ARM platform, this is just the first step, a warning shot if you will, of what is to come
If "what is to come" is a machine that "just works", has no malware, but has to get its software from the App Store and/or notarized by Apple, I'm fine with it. And hundreds of millions will probably also be.
Apple was never about tinkerers and customizations, they were always about cohesive, all-in-one, curated -- and that's ever since the Apple II.
It's not their fault that people who don't like this model feel like they have to still stay with Apple.
It's not 1999 anymore. Those days if they broke into your computer or if you got a virus you would lose some useless files and a few hours/day to reinstall your Windows. Nowadays you can lose a lot, and with working from home etc becoming more the norm, even more so...
Well again we can debate on the "just works" part, as Apple has alot of problems in their hardware reliability as well but that is another debate all together.
It is also revisionist history to say "Apple was never about tinkerers and customizations", Apple was born out of the "tinkers" market, and did infact become popular pre-iphone days due to this hacker mentality, to deny this is to deny actual history
Further your comment it it "not being 1999" anymore and if your system becomes infected to the point wher you need to "reinstall windows" you lose alot simply because you are working from home..
I fail to see the connection, today there are far better tools on both windows and make to backup and restore systems.
For windows with OneDrive unless you have a massive amount of custom apps to install it is litterally just logging in to any other win10 computer and connecting your OneDrive to that computer and you have all you files
If you do not want to use Cloud services, Free Agents like Veeam for Windows empower users to backup and restore a complete computer is just a few minutes.
Also to claim mac is "Virus free" is moronic, and implies a level of security that is not really warranted, Mac like Linux is security through obscurity, Windows still has a 90+% market share, so of course threat actors will target windows more. Apple Mac is not target simply because there is not enough people to justify the investment.
As Mac's have become more popular, the number of threats have increased, and has shown Apple is not this secure enclave simply because they are Apple, they are secure simply because no one cares enough to target the platform,
My first Apple device was a LC II, what "tinkers" market, and did infact become popular pre-iphone days due to this hacker mentality, to deny this is to deny actual history" are you talking about?
Go read the feature list of Copland to see how much "tinkers" market they cared about.
>* It is also revisionist history to say "Apple was never about tinkerers and customizations", Apple was born out of the "tinkers" market, and did infact become popular pre-iphone days due to this hacker mentality, to deny this is to deny actual history*
I was there in the pre-iPhone days, and Apple was never about the "hacker mentality".
In the early days (and up to now) it was all about "computers for the rest of us" (as the slogan famously said, which is also what the 1984 ad was about -- freeing computing from being a serious/enterprise/business affair, not about hacking ideal - the target was IBM and the PC).
During the Jobs-ousted era (Scully etc), it was mostly about selling expensive boxes to vertical markets (printing, design, and so on).
Their first popular post-Jobs products were the all-in-one iMac, the powerbooks, and of course, the iPod. And they always insisted on the vertical integration (they make the hardware and OS/basic software) - with the brief pre-Jobs exception of the Mac-clones, which nearly killed the company.
>I fail to see the connection, today there are far better tools on both windows and make to backup and restore systems.
It's not about backing up and restoring, it's about third parties getting access to your documents, data, personal pics and videos, account passwords, files, etc -- which today are a much larger and more important part of your life and business than it ever was.
>Also to claim mac is "Virus free" is moronic, and implies a level of security that is not really warranted
I didn't claim it, but now that you said, I will: Mac is, if not virus free, effectively virus free, and can be even more so. There has not been any major outbreak for the Mac (tons for Windows). The biggest outbreaks were confined to sub-10% of users, and were invariably trojans, not viruses (users had to actively run them).
>Mac like Linux is security through obscurity, Windows still has a 90+% market share, so of course threat actors will target windows more. Apple Mac is not target simply because there is not enough people to justify the investment.
That's an old fable that doesn't hold. In the 90s, when the Mac (Mac OS then, pre-OS X) had 2% to Windows 98%, it still had tons of viruses.
And of course iOS has 0 or no viruses and malware, whereas Android has a ton, and there are not only close (30-40% to 60%) but also richer people on the iOS phone side to justify resources. It's just more secure, for various reasons (and no side-loading is one):
>>And of course iOS has 0 or no viruses and malware
Wait what?? Are you serious? Please tell me you are not serious
Man are you in an Apple PR bubble if you believe that, iOS most certainly has been impacted by viruses, malware and vulnerabilities
>>That's an old fable that doesn't hold. In the 90s, when the Mac (Mac OS then, pre-OS X) had 2% to Windows 98%, it still had tons of viruses
I am not sure what you are attempting to say here? your implying Mac OS had a ton of viruses, if so I am not sure why you said "still had tons of viruses"
If you are talking about win 98 having viruses this does not refute my statement at all, as in Win98 days, as today then and now Windows was the vast majority (90+%) of computers.
>Wait what?? Are you serious? Please tell me you are not serious Man are you in an Apple PR bubble if you believe that, iOS most certainly has been impacted by viruses, malware and vulnerabilities
Well, since you're outside the PR bubble, I'll be eagerly awaiting for your examples of viruses in iOS devices. I'll be patient.
Spyware you'll find a few (they exist in any system when you can't trust the developer 100% -- even Facebook app functions as malware, in the sense that it got data it shouldn't), that are stopped when found out, exactly due to developer certificates. No malware in the wild (virus, trojans, etc) infecting iOS devices, due to no sideloading and sandboxing.
While at it, also refute the "50 to 1" Android to iOS malware ratio as given in the post -- and that's from an antivirus vendor:
The thing is... You use tor because you think you can prevent ALL of the traffic from being visible (similar to a VPN). Now you cannot trust the kernel not to reveal anything to Apple.
Tor does not, never has, and never has even tried to, capture "ALL" of the traffic on any OS. It's just a SOCKS proxy, period. If you ever thought Tor could do that, you were just wrong.
There are various third party add-ons for various systems that do try to funnel "ALL" traffic through Tor in various ways. ORBot for Android tries to act like a VPN for the phone. Outboard hardware like the Pi-hole will try to put everything on a subnet through Tor. Tor-centric OSes like Whonix and TAILS put all of their traffic through Tor. You can hack something up to do it on vanilla Linux.
... but so far as I know, there has never been anything that tried to do it on MacOS. Maybe I just don't know about some weird hack that's available, but even if there is one, it's not part of Tor proper.
It's also not something anybody should ever have relied on anyway, because trying to "act like a VPN", on a general-purpose OS that's not cooperating, is prone to be leaky regardless of the OS. As long as programs running in an OS can find out the system's "real" IP address, they can leak it, so if you're serious about containing non-cooperative programs, you need to deprive them of that information.
The Tor Browser doesn't do any that. It just sends the traffic from the browser app itself over Tor using SOCKS, and Apple has not broken that here.
What Apple is doing is obnoxious and unacceptable and yet another reason never, ever to use an Apple product for anything... but it has zero impact on Tor.
Yes but Apple keeps track of the application you open and sends that data through 3rd parties unencrypted.
Imagine you open Tor in your mac, Apple will send a request with Date, Time, Computer, ISP, City, State and Application Hash through the open internet for everyone that listens.
That by itself is not very interesting but if you combine that with all the other data hoarding that happens it can trace back to you.
This is completely false, Jeffrey Paul was extremely dishonest about the location data which is not sent at all, and he misunderstood how OSCP works. It doesn’t send the hash of the binary. Others have cleared this up and Apple released a statement.
It's not false except in some insignificant details. The OCSP request still tells Apple the developer ID, which for some software is just as revealing.
For the Tor Browser, the developer ID used with OCSP is:
The Tor Project, Inc (MADPSAYN6T)
That's certainly enough to tell Apple you are running Tor Browser, Tor itself, or something else from the Tor project!
Also that's only OCSP which runs often. Gatekeeper also runs, though only the first time each new executable is run. Gatekeeper does tell Apple the hash of the application. That will show up each time you run it after updating to a new version.
The stuff about street address etc is wrong, but not completely wrong. Because the request is sent when you open the application, as a side effect it reveals your approximate location (to anyone third-party eavesdroppers not just Apple) and an accurate timestamp, of the moment when you opened Tor.
Of course anyone eavesdropping nearby can detect the Tor traffic itself. However, only on the paths used to the Tor exit node. Separate from the Tor traffic, Apple and any routers along the path to Apple (e.g. "great firewall") can identify devices running Tor from far away, even if they don't have direct evidence of Tor traffic from those devices. I think it quite likely that CCP (among others) will be logging these OCSP requests at the great firewall already.
> the data sent to Apple’s OCSP server contains information relating to an app’s developer but not the app itself. It adds that Apple’s Gatekeeper service can send the hash of an executable, but that this is separate to OCSP and happens over an encrypted connection. Apple’s own support page notes that Gatekeeper uses “an encrypted connection that is resilient to server failures.”
> In its updated support document, Apple makes clear that security checks it makes when authenticating software do not include a user’s Apple ID or device identity. The company also says it’s stopped logging IP addresses associated with the Developer ID certificate checks. “We have never combined data from these checks with information about Apple users or their devices,” writes the iPhone-maker. “We do not use data from these checks to learn what individual users are launching or running on their devices.”
It doesn’t send any of that geo location data, which is not an insignificant detail. That’s an egregious claim and he just made it up, and now people are repeating it everywhere.
It doesn’t send a text string of the developer ID. It sends the thumbprint for the certificate. That’s still some information that could be used indirectly to determine some apps that may be running, but you’d have to at least collect a mapping database by sampling common apps.
Most importantly, it doesn’t even try to explain what OSCP is. This is critical in order to understand the purpose. Without that, and with the other false or misleading info, it looks like this literally exists for the purpose of tracking your every move and what apps you use. But that isn’t what it is at all. It’s a good faith malware protection feature that has some potentially unwanted side effects that have privacy implications, and even those implications are substantially less than what is claimed.
There are legitimate privacy concerns with OSCP but I feel that it’s important to represent the situation accurately. This is an off the shelf revocation checking protocol that was implemented to the spec. We should pressure them to improve it (which sounds like it already happened, a very positive sign) but it’s unhelpful to paint them as villains over it for following a standard and not even keeping any of the data that is sent back.
You’re correct that the notarization check has a hash, but that’s not what he was talking about. Also, that’s sent once and encrypted I believe.
Last time I checked Tor was managing its own encryption and routing without relying on any macOS VPN or firewall API. Several years ago it was making direct connections to various IPs and sending the encrypted information.
It makes no sense for Tor to use those APIs since they're designed for other use cases.
False. True VPN apps, that simply set up a VPN network interface and alter your default route, continue to route Apple traffic along with all other traffic.
Supposedly, there is a way. You can just remove all the apps from the whitelist. After that apps like Little Snitch pickup on the activity. Hosts file I believe still works as well but I haven't seen anyone who's tried it out yet and posted about it. One caveat is that you probably have to monitor the whitelist to make sure nothing gets added to/back without you knowing about it.
Not sure how well any of that works though. I'm not touching Big Sur or the new macs with a 10' pole until all the software that I rely on is updated to not require kexts 100% (including Little Snitch full support) and Apple silicon has virtualization support so I can run Docker.
I'm really glad I just upgraded to the latest intel mbp a few months ago.
Yes according to this [1] there is a way to remove the whitelist entries. It doesn‘t seem practical and it‘s a big turn off for me. I was thinking about switching to an ARM Mac when the second or third generation comes out, depending on how they perform. But now I‘m thinking I probably won‘t switch. Especially with things like this and how stuff like this is enforced on other platforms.
How can I know that the option to edit the whitelist won‘t be removed as fast as the default entries were added to the whitelist?
And requires that you disable system integrity protection, which opens you up to other threats as well as bugs that can prevent you from being able to boot at all:
By this I just mean it is general observation in company when they become large. If we are to support free market. Big companies are not be allowed to exist, it just encourage mon/dup/oli gopoly and hinter economic optimisation.
One of the issues I see with this is that the free market encourages companies to try to become a monopoly/oligopoly, because it's the only way to sustain profits in the normal idealized market models.
So you can't support the free market and not allow big companies to exist at the same time.
Instead I think it would be honest to say that we don't want free markets, because they have inherent issues that are detrimental to people. At the same time we don't want planned markets which have historically failed as well.
Instead there must either be a better paradigm or a sweet spot in between (e.g. a well regulated somewhat free market).
Big companies become big because they find a loophole and way to exploit it. Normal businesses don't get big. This is an anomaly, an edge case. We need regulation that will be dividing companies when they become too big. Just like cells divide in nature. We also need to review offshore ownership and make sure they pay the same tax as smaller businesses. You cannot have a small struggling shop paying 40% and big guy only 1% if anything.
>Big companies become big because they find a loophole and way to exploit it. Normal businesses don't get big.
That's a non sequitur. A lot of "normal businesses" became big.
In any case, Apple didn't become big because they found a "loophole". They were on the brink of bunrupcty and become big because they put out product after product that people liked: the first iMac, the iPod, the iPhone, and the iPad.
And they didn't even compete on cheaper prices, undercuttting the competition by throwing VC money (a trick Amazon did): they did it while selling only on the higher end of the market, and charging the same or more than their PC/mobile competitors.
Oh, and for the most part they didn't even do it though marketing either. Their ad budget was laughable and less than half to 1/5th compared to competitors for the first 15 years. Heck, Samsung used double to triple Apple's ad budget, and Google used 1/2 Apple's budget on just a single phone product.
> One of the issues I see with this is that the free market encourages companies to try to become a monopoly/oligopoly, because it's the only way to sustain profits in the normal idealized market models.
The idealized market models are models. It doesn't work like that in real life.
Example: McDonald's. They have all the competition in the world. Restaurants are one of the closest markets to idealized perfect competition there is. But McDonald's still makes plenty of money. Because as close as restaurants are to the ideal, the ideal doesn't actually happen in real life.
Coca Cola, Nike, Toyota, Starbucks. These are all multi-billion dollar companies with nothing even resembling a monopoly.
Actually you can support free markets and prevent large corporations
Most large corporations become large not purely on market forces but because of Regulatory capture where by they slam the door on competing businesses by passing "consumer friendly" regulations that is in reality more focused on preventing new comers to the market
Why do you think Facebook is soo hell bent on getting regluations from the government on social media, because they know they will be one of the "stakeholders" that will help write them thus ensuring their market dominance
Why do you think Amazon is now in favor of National Sales Tax regulations, because now that they have to pay sales tax in all 50 states is favors them to have 1 regulation vs 3000
Why do you think Walmart now favors raising the minimum wage, because social and economic pressure has forced them to raise their own wages so they want to ensure all companies have to pay the same wages they are
Point to any large company that is in a position of market dominance and I will show the government regulations that allow them to operate in that way
hell the very basis of the corporation is a fictitious entity created by government to limit liability, the laws around those corporations (especially public corporations) are government regulations written by large corporations for their benefit, That is not a free market at all
> Why do you think Facebook is soo hell bent on getting regluations from the government on social media
What truly threatens these corporations isn't regulation, in fact I'd wager they're counting on it. The real threat is the next Instagram that walks through the door that doesn't sell to FB. Basically, the biggest threat to FB is the fact that people don't really care about FB, they just want something to look at on their phones. It's totally in FB's best interest then to make it more difficult for competition to invent new ways to look for people to look at their phones.
Banking and finance in general is probably the best example. It's so difficult to start a bank these days that your best bet is to acquire a failing one.
However, on this point:
> Point to any large company that is in a position of market dominance and I will show the government regulations that allow them to operate in that way
I don't really see how Apple falls under this category? I can see it for Amazon, Netflix, Walmart, Google, Facebook, etc... but what about Apple?
Apple is a wierd case, I agree. because while they are powerful they do not really have anywhere close to a monopoly, iPhone account for less than 35% of all mobile devices in the world, 50% in the US. It is a duopoly though with Android.
This Duopoly is largely supported because of FCC Regulations and carrier restrictions it is very hard to get access to Wireless frequencies and ever harder to do that nation wide, given this it is hard to deploy a mobile device in the US.
Apple then relies upon Copyright and Contract law both of which are favorable to large companies not consumers to ensure their market dominance by making it impossible to create interoperability between their ecosystem and others.
Then you have the various Tax and general business regulations that favor all Large companies, some of which in general prohibit smaller companies from growing.
AND it is Big Brother in its “1984” ad. “We will prevail!”
Ironic, isn’t it
PS: Why don’t the people here combine forces and capital to create a video and privately registered website like apple1984.com (I think trademarks can be used for criticism, otherwise just use 1984 plus something) and actually run this ad to shame apple on various social media and youtube? DoubleTwist did.
> So there are no true VPN apps in Big Sur at all?
VPN work just fine for me. Some Apple apps mat bypass the VPN, but I don’t see a reason those apps would need to connect to the company intranet in the first place.
> Nevermind that your VPN might have the purpose of bypassing shitty, insecure public wifi.
> Nevermind you may not be trusting your local/national internet infrastructure.
Routing traffic onto the public Internet through a 3rd party adds absolutely nothing to security. You shouldn’t trust the Internet in any case.
If you use it to ‘bypass shitty security’ and then all you’re doing is trick yourself into a false sense of security. VPN services like that are complete and total bullshit.
Sure, it will work fine for (many) corporate drones. Who gives a damn about corporate drones? "Company intranets" are only one of many uses for VPNs... and a boring one at that.
You're doubling down on your ignorance, arrogance, and lack of imagination.
The major non-corporate-drone use of VPNs is to confuse the site you're communicating with about where you are, not to conceal the content of the traffic.
There are many other uses, and more things in Heaven and Earth, Horatio, than are dreamt of in your philosophy.
> The major non-corporate-drone use of VPNs is to confuse the site you're communicating with about where you are, not to conceal the content of the traffic.
So basically to commit fraud when using streaming services. Can you think of a legitimate use case ?
Well, this is great news for malware developers (including intelligence agencies)! Apple might as well just have said: "Here, malware developers, focus your efforts on these few apps. The payout when you find an exploitable vulnerability is fully unmonitored, unfettered access to the network (by default) to do as you please."
This is beyond irresponsible. Apple knows there's going to be bugs in their code. Doing it anyway is completely hypocritical to their own privacy-focused marketing.
This is irrelevant news for malware developers. How many people do you think are running Little Snitch? I'd be surprised if it's more than several tens of thousands out of tens (hundreds?) of millions of machines.
Such an application is extremely annoying for normal users.
This type of crap is why I stopped using windows and macos. I don't want my security to be compromised because of some idiot in a suit making a bad call.
I disabled all telemetry in Windows and use Glasswire to check what's up, but planning to add RPI with some extra traffic monitoring. Frankly this is untenable. Users shouldn't have to go to such lengths to protect their privacy. Apple and Microsoft need to be held accountable and ordered to delete all personal data harvested to which they cannot provide legitimate reason to have it.
True, but that line of thinking assumes they will harden those things in favor of the customer/user.
The article suggests that Apple may be exempting its own apps from user-defined network traffic protection measures in order to clamp down on geographical licensing loopholes, or to keep its app traffic out of VPN servers. Either case would be to the benefit of Apple and the detriment of the customer/user IMO.
Are billions of people better served with compromised security not because of some idiot in a suit, but because they installed Linux and don't know what exactly they're doing?
>The big question though is why the company’s doing this. So far, it hasn’t said why Apple apps on Big Sur are exempt from firewalls and VPNs, but there are some theories.
I'm also genuinely curious, what is the main benefit of doing this and if it's done by design.
So there’s solutions to this. They could show a notice asking the user what they would like to do. Something like “there’s a problem connecting to the internet: cancel | try without vpn”
I'm not sure how it is on Mac, but on Windows if you've ever used an app that can block network connections, and limit other applications. What is to stop any other app on your computer doing the exact same thing. As far as I've understood any app has access to any other app and the whole environment is just a warzone of apps where you have to trust every app completely to be okay with running it.
This is probably the first step of being able to fully enforce geo-blocking, censorship or other legal requirements on Mac OS users without any way around.
I wonder what enterprises with managed macbooks would think about this. Internet traffic has to be routed through the company firewall in some corporate networks and this restriction will likely cause the company to ditch Apple.
I already thought the same. Our IT department is probably happy to get rid of the two handful of Mac systems once they have "proof" that those are undermining the network security (when the people use them from mobile hotspots or at home).
Yes, you can. However with average user, config router with VPN, proxy is a bit complicated. Bypass firewalls and VPNs on macOS is still terrible by the way.
You can't run the VPN on the router if you don't own the router, which means that you can't protect your device's traffic when you're on the go, using mobile hotspot, or connecting to an ISP-supplied gateway without additional hardware.
Frankly, a fixed "Internet" Service Provider that doesn't provide you with a router (and leaves you the possibility to use your own) and a /48 IPv6 prefix should have no legal right to call that service "Internet" (in a similar way that Internet neutrality has to be legally respected) :
(Mobile cellular Internet seems to be harder, but is there any reason why user's cell-'modem' can't handle the routing of successive /64 connections ?)
If I have a second phone (e.g. Android( running a hotspot, and I enable a VPN on that phone, will the hotspot / shared internet also go through the VPN, or will the hotspot bypass it?
If this Apple firewall nonsense sticks I can see a market emerge for self-contained USB ethernet/wifi dongles that incorporate a built-in router/firewall with VPN functionality. You could build something like this yourself using an rPI or something similar, but my feeling is there could be a sizable market for a small & cheap off-the-shelf device you just plug in.
Yes, but it's only useful when connected to your home LAN where you have control over the router, and even then only if you know how to set it up.
Edit: also not sure if the router I got from my ISP (which I don't use, but I guess 99% of their other customers do since it is non-trivial to replace without losing IPTV) would allow me to configure it as a VPN gateway. Pretty sure it won't considering they try to lock it down as much as possible.
I have a feeling that Apple likes to give its apps special treatment just to remind everyone that they can (why that is however I don't know, maybe begging for regulation?).
I wouldn't be surprised if there are still apple apps installed as system apps on iOS that could just come through the store or are using some special Apple-only API to do something trivial.
This is another example of apples platform treating apple apps "preferentially" - one of the points raised in the ongoing appstore complaint.
I can understand why they think they can do this - they create the OS, so you implicitly "trust" them - but that position doesn't mean you shouldn't be able to grant others that same trust, IMHO.
Apple should be divided into separate independent companies. One for silicon, one for computers, one for phones and gadgets, one for screens, one for OS, one for app store and so on.
I'm getting more and more incentive to just drop macOS and start using Linux as my daily driver. Apple has absolutely no excuse for this, and I hope they correct it.
That said, I am curious which laptop brands today are most compatible with Linux. I've heard good things about Lenovo and Dell XPS. As for which flavor of Linux, I have my eyes on Arch...
I bought an XPS 2 years ago and haven't looked back. It's extremely well supported by most kernels and just worked for me.
Furthermore- Dell's WD19TB dock works on most kernels (and all newer XPS models) as well. I'm talking power, USB, network, and 3 2k@60 (or 1 4k@144 & 1 1080@60) displays all on a single cable. The future we were promised 4 years ago is finally here.
I looked into this a couple years ago for notebooks. Dell and Lenovo are pretty popular choices. Dell will pre install and I think Lenovo does now. I think desktops are easier to do your own install.
I bought a system 76 which comes with Linux (Ubuntu or Popos). I’m using pop and things work (jet brains, bitwig, I compiled unreal engine..).
Those machines are rebranded clevos (so they say) but I know drivers will work. Build quality is decent but the machine has lasted. It’s been good and pretty much maintenance free. The os updates frequently.
My only complaint is the machine has 2 video cards and will only drive externals with the nvidia one. Switching requires a reboot. The battery life isn’t great when driving the nvidia card. Maybe the new ones fixed this (onyx pro)
Can't speak for all their models, but I've had success with HP. My work laptop is a ProBook 430 G5 and everything except for the fingerprint sensor works great. The G4 also worked well but I only tried it for a short period. I've only tried Arch, but I suppose Ubuntu should work too.
There simply doesn't seem to be a culture of usability in Linux environments. "But, it's not that bad, I set up a Google/LibreOffice laptop for my mom!"– yes, it is! I hit a rage-wall any time I try to actually use a Linux distro as an 8+ hours a day working environment. Unless you almost exclusively work in command lines, it's no replacement for macOS (or even Windows, for that matter). And macOS does command lines just fine.
(btw, I admit that some of this has to do with a general lack of support for Linux by software and hardware companies, but there's only one side of this Linux distros can work on and that is making it a more pleasant environment for end users and most Linux users seem to sneer at that thought)
I recently bailed out of Apple into Linux. I put this transition off for a long time because i've used Linux (Desktop) in the past and it was rough, so i knew i'd have some hills to clime... but.. my life on Apple was rough, too. Ultimately i didn't switch because i could get a better UX on Linux, i switched because the huge market i'd pay Apple for a beefy Tower was not worth the degrading user experience i was receiving.
In my past experiences a big frustration was configuring/debugging some random thing and ending up with a solution that - given 12 months of time - i needed to tweak and cannot remember what i did. Or worse, i upgrade software and something breaks. I identified that this effort was wasted if i couldn't roll back easily, or incrementally document my steps through the OS.
To tackle this i chose to go with NixOS. It's got a lot of rough edges, but a few days of dedicated learning time was enough to make me feel mostly productive. I still have a lot of hanging questions, but with NixOS + Flakes + Home Manager i have a system that i feel confident about stability and my ability to roll back as needed. This softens the blow for me personally of needing to figure stuff out that i otherwise wouldn't of had to on OSX.
Since my focus is building a beast PC (that i don't want to pay Apple for) i might still use Mac Laptops, and as a bonus my Nix setup can still be applied on Apple. From NixPkgs to Home Manager dotfiles i plan on using my setup on both Mac and NixOS.
I switched fully ~4 weeks ago, and my only real complaints are (as a Linux Desktop beginner):
1. X11 seems awful. Notably i have one 4k Monitor and two 1080p Monitors and .. it's annoying to setup. I'm using XFCE because it was notably faster than KDE and especially GNOME, and so i set XFCE to 2x Window Scaling but that scales all 3 monitors. So i have to use xrandr to tweak the scalings, and that has been a chore. Lots of experimentation for a janky experience, but i've got it working good enough for me. Wayland will hopefully improve this, but that's a long ways out it seems.
2. Basic features like scaling seem hit or miss. On KDE i recall it working pretty well with all my normal windows. On XFCE if i set 2x Scaling, Spotify and Zoom don't recognize the scaling. Resulting in very small text. I'm willing to overlook a lot of the Mac "pretty" - but i really wish Desktop Environments would perfect the basics.
3. Discoverability on Linux (any distro, imo) is .. bad. We all know the trend of immediately going to Google for everything if you're unfamiliar with the toolset or the domain, but i feel like there's got to be a better way to navigate a OS from both CLI and UI. Linux has the same discoverability problem that Windows has, it's just easier to Google things.. and that feels bad. For a hacker friendly OS i think we could do better here. NixOS, while equally terrible on this front, strikes me as something uniquely fit to be discoverable - given that nearly the entire experience is immutably configured.
All in all, so far i'm quite happy with my switch and looking forward to buying a Zen3 to build a new workstation. Hope this summary of my month long journey is of use to someone lol. It's far from over.
Any thoughts on Purism or System76? I like the Thinkpads but i'm tempted to go Purism or System76 purely to support them.. but i don't want to do it at the cost of being dissatisfied with a lesser product.
Stallman, for all his faults, predicted exactly this and fought an uphill battle to prevent it. If only there was money in GPL software to make it competitive on the desktop, not just usable. It's something that would have to happen out of taxpayer's purse, I'm afraid.
Stallman predicted it but didn’t understand how to prevent it.
As for ‘happening out of the taxpayer’s purse’ - currently those who spend the money from the taxpayers purse in almost all jurisdictions are seeking to outlaw or seriously curtail encryption that they cannot break.
If you want to accelerate and make permanent the loss of control, get the government involved.
What we need is to build the infrastructure that would allow for decentralized trust of software and to make it as easy to use as an App Store.
Yet, those who tried to follow this ethos quickly discovered that the GPL requirements forced them to open up more than they wanted, including most things that made their products unique.
If you can't have meaningful competitive advantage or differentiation, it's kind of hard to make money.
No, it's hard to make ridiculously out-of-proportion amounts of money, create artificial concentration, and deliver extended exponential growth of individual enterprises. And of course it's hard to even make a living when all your competitors are allowed "differentiation" and you're not.
Which is what happens when a government sails in and starts granting monopolies.
Copyright is an artificial monopoly. Patents are artificial monopolies. There are a bunch of weird people out there who call themselves "libertarians", but somehow favor the government creating such restrictions on people's liberty. They're confused and should be ignored.
Trade secrets are perhaps slightly less artificial, but they are clearly destructive in an enormous number of ways.
If, as lawgiver, one were to totally eliminate all imaginary property and outlaw commercial secrets, one could arrange a society where a lot of people could make a very nice living. It might be harder to become a tycoon. Which would be all to the good.
I largely agree with you - we need to get past the notion of IP, but it’s a long where from where we currently are, and for all the problems with the current system, there are going to be problems with dismantling the IP regime.
Go watch "The Internet's Own Boy", Aaron Swartz's biopic, which describes the arguments for and against copyright/patents, you'll learn something. No question, the system is flawed, but not irredeemably so.
I still think it is valuable to be able to say (as copyright does) 'I made this thing, deserve to be paid if others use it, and can control to an extent how it gets used.' Ditto for patents - 'What I made is my original idea or is an improvement based on the work of those who came before me.'
If, as I understand your argument, you are in favor of the libertarian view which advocates that the government create no law which protects these constructs, you also deserve to be ignored.
While I do not agree with the paragraph about trade secrets because that would represent compelled speach I agree that copyright and patents are noxious.
Both have been innefective at promoting innovation through disincentivising trade secrets. The most precious knowledge is not released and copyrighted and patented. It is still kept a secret.
If they were effective we would be living in a world dominated by shared source instead of binary blobs and obfuscation.
Without copyright and patents, trade secrets are the main protection mechanism but at the same time reverse engineering is not restricted in any way.
I'm glad that people are putting pressure on Apple to fix this and hope that they do.
That being said, I think many comments here are out of touch. We're talking about a specialized security feature which is not easily available on other platforms is only used by a minority of users and still works for most programs.
What exactly are your threat models that this is causing a problem for you? Are you sure that you can even use a mainstream OS if you need to block all outbound connections? If I had to have complete control over my outbound connections, I would use a hardware/software solution sitting between the computer and router.
Secondly, is this really bypassing VPNs or only the new firewall API? e.g. is it bypassing WireGuard?
>What exactly are your threat models that this is causing a problem for you?
If I connect to a public wifi hotspot and use a VPN, I used to be under the general assumption that my network traffic would be sent through my network tunnel and not be accessible to other users of the same hotspot.
One of the points of having a VPN is to be able to run software without every single middle man on the network knowing what you are running.
For example, say someone hypothetically wanted to post a comment on twitter that, again, hypothetically, was politically inconvenient for some authority figure.
The fact they launched twitter at about the time that comment was posted might be something they would prefer to not have reported on the internet at all, and certainly not without encryption.
Generally, this falls into the general category of "I may disagree with what you say, but I will fight for your right to say it".
I can't find Patrick Wardle claiming that Apple apps aren't routed through the VPN. This claim was made my "Maxwell", but they didn't provide any proof.
Some VPNs were using kexts before Big Sur, some weren't. Wireguard for example is a normal AppStore app which integrates with the OS VPN support. It would suck to be confirmed that it's leaking traffic.
For what it's worth, a VPN will not protect you from threats on a hostile network.
“ A virtual private network (VPN) is a form of network tunnel where a VPN client uses the public Internet to create a connection to a VPN server and then passes private network traffic over that connection. If you want to build a VPN client that implements a flow-oriented, custom VPN protocol—one that works with the data passing through a TCP connection rather than the packets used to transport that data—create an app proxy provider app extension.
When the system starts a VPN configuration that uses your app proxy provider, it launches your app extension, instantiates your app proxy provider subclass within that app extension, and starts forwarding flows to your provider. Each flow represents either a TCP connection or a conversation over UDP. Your provider is expected to open a tunnel to a VPN server and forward each flow over that tunnel. Similarly, if your provider receives flow data from the tunnel, it should pass that back to the system via the appropriate flow.
App proxy providers are one form of per-app VPN, the other being a Packet Tunnel Provider in source application mode.
App proxy providers are supported in iOS on managed devices only, and in macOS for Mac App Store apps only.”
https://developer.apple.com/documentation/networkextension/a...
"We're talking about a specialized security feature which is not easily available on other platforms is only used by a minority of users and still works for most programs"
I'm confused by this statement. We are talking about being able to implement firewalls and VPNs which can filter/redirect all outgoing connections. These are both abilities easily available on Windows and Linux.
I was referring to software firewalls. Obviously it's bad if a VPN is leaking traffic, but that's not confirmed yet... or at least I couldn't find any proof of that in the linked tweets.
This is an interesting opinion, considering that iptables has been able to do this for decades, and nftables can, too. It is trivial to filter outgoing traffic and there are even convenient GUIs to do so.
Filtering outbound traffic using iptables and the Windows firewall is supported. In addition there are multiple 3rd party software firewalls for Windows which also support filtering outbound traffic.
The "firewalls" in the title of this thread refers to outbound application firewalls. There are products that behave like this on Windows, but they're typically part of a security suite which one may or may not want. Others are free and display ads or collect information about the user.
I've used two products in the past, NetLimiter and ZoneAlarm. Back then NL was just getting some basic firewall features, since its main feature was throttling the connection per app. I used ZA as a free product, but now I see they have a paid version.
Last time I checked a couple of years ago I also found GlassWire, but I didn't purchase it because it kept being detected as infected by VirusTotal and the dev didn't have a clue what was wrong.
Frankly I don't know how trustworthy any of these apps are - this is a big problem with security software on Windows - you don't know if the anti-malware is going to behave like malware.
> What exactly are your threat models that this is causing a problem for you?
I would like my computer to not connect to anyone or anything when it's powered on if I'm not running interactive apps that I specifically wish to use the network.
It's sort of like the bad old days with linux distros coming with like 47 listening services enabled by default. It took a while before they realized that defaulting things to "off" was the best move.
I encourage you to look at the pcaps coming out of a fresh macOS install with everything turned off: App Store, iCloud, analytics, FaceTime, iMessage. You'd be surprised how much it's doing when it's sitting there "doing nothing".
I would be surprised if Debian did anything like this. There is popularity-contest, but they are very explicit about it and it's opt-in. Other than that anything else would be considered as a bug.
Little Snitch & co aren't anti-malware solutions even if they seem like they might work against that. Anything which is running on a malware-infected system can't be trusted.
Such firewalls are used for protection against asshole developers which want to collect analytics without asking for confirmation. Apple are one of the assholes and LS can only be an interim solution against the OS developer. This was bound to happen... and I guess only a HW solution will help now.
Little Snitch & co are part of a defense in depth strategy against malware and other threats.
Will it catch everything? No, obviously. Will it catch enough things to make it worth running? I guess that depends on your threat model, but many think it's worth it.
We are getting towards the point where we will have to boot up into a full screen Linux VM because the outer operating system is too laden with crap like this (and secure boot).
The new ARM Macs have "secure boot". I don't know how it will work exactly but I assume it's something that stops you from booting a different operating system. If not, I'm sure that's in the pipeline.
Besides the privacy/security implications, this seems like it would also break these apps for all network topologies that only grant internet access through a VPN.
Some universities used to (and probably still do) provide internet access over unencrypted Wi-Fi networks, with the VPN gateway as the only reachable host.
Serious question, what does Apple offer that brings people back to them after an event like this, or the last one, or the one before that?
You can't customize the OS, the software for the platform is available on Windows and Linux, and the hardware is overpriced and underpowered, and then there's stuff like this where Apple decides how you should use _your_ computer. I sincerely do not understand why anyone would ever purchase an Apple computer, and yet here we are, again.
Especially confusing to me is how many of my fellow web developer peers I see choosing Apple devices over literally any other laptop with Windows or Linux which will run circles around a Macbook of the same price range.
This hasn't always been the case, but high-quality hardware and long battery life have been big attractors for me. I've never used a trackpad on a non-Mac laptop that has been comparable to Macbooks.
They spent millions of dollars plastering all sorts of media with ads about how much Apple loves privacy, and they figure that they can hire a few people to write articles explaining how it is actually good that Apple gets to decide what traffic should and shouldn't go through your VPN[1].
Let me see... hu... Interesting example of fragmented pressure-group politics, not ? More generally... a few days ago, I watched TV (the old linear one... ^^) and sure there were some ads, mainly about food, caring (clothing, hygiene, room) and somehow 'imagecare' (cellphones and magically 'digital identity') ...um (to keep it short)... so let me ask, were all of the polarizing only serving as a use to sell something like "Inseldenken"? (-;
They commented on all the *gates and even the ocsp issue which reached mainstream media.
But this is so low level (normal people don’t know or care about firewalls except it’s running, or understand why it’s bad for Apple to bypass it) that it won’t become big enough to get that kind of press and response.
On Linux I can configure programs to use VPN link or not to use it so I guess it would also be the case with Mac? I would expect apps not to bypass default route settings, not being Mac user I can only guess default route can be set there, but would OS somehow provide alternative routes if it detects default route is VPN?
Linux offers virtual TUN/TAP[1] devices that encrypt all traffic that is routed through them, along with proxying at the application-level that allows you to tell, say Firefox, to use your VPN.
Linux also lets you create VPN connections for individual apps if you use network namespacing. Before Wireguard, I used use network namespaces with OpenVPN[2] to create individual tunnels for different apps, and it worked nicely.
Regular VPN clients that manipulate the default route still work like they always have, this particular issue is related to per-app VPNs, which are not nearly as common, and would generally not be used to redirect OS-native traffic anyway.
On Linux you can also have network namespaces. It wouldn't surprise me if Mac OS had a similar capability and their apps ran on a different network namespace than the one configurable by the user.
Does this really matter to anyone except a select few people? Thats the issue I see here over and over. Missing the forest for the trees. No solution is perfect, but there's a feeling of exceptionalism that permeates this website.
Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.
You need to understand, when buying this kind of device, it is not yours. It may be convenient, shiny and powerful, but somebody else decides what it does and that means you are not in control.
The hardware may be outstanding and the OS could have been top choice for me if only I knew it is my machine. As it is not the case, I will be sticking to Linux laptop for good and bad.
It is mine in name only. It is like a private bedroom where somebody else can come at any moment and inspect any aspect of my life and I can't stop him and sometimes I can't even know he is inspecting me at the moment.
Yes, there is some information leakage, but nothing like ‘inspecting any aspect of your life’.
But more to the point, you own the computer. You chose the operating system. If you don’t like what it does, buy something else. You can sell the one you don’t like, because it is yours.
Traditional VPNs that cover the whole system and route traffic based on destination IP (such as OpenVPN in UTUN mode) use the Packet Tunnel Provider in Destination IP mode. To the best of my knowledge, global VPNs routing based on destination IP (ie. non per-app VPNs) still route traffic from all applications, including Apple ones.
See this for more details on the Packet Tunnel Provider: https://developer.apple.com/documentation/networkextension/n...