Wandering Thoughts archives

2022-02-01

The likely long-term result of good on-host (host-based) firewalls

A while back I read j. b. crawford's host firewalls, which invokes a bright alternate future where we had good, smart host based firewalls on our machines that acted to (try to) limit nasty programs and their bad habits. One problem with this vision is the "why" problem, where you really want to know not just what a program is connecting to but why. You can imagine a future where programs have to tell you something about this, and there is social pressure for programs to limit what connections they make and so on. Unfortunately, I don't think this would work or come to pass.

If you look at it from the right angle, what people want out of a hypothetical good host based firewall is much like what they want out of ad-blocking extensions in browsers. Sadly, we have already seen how this arms race plays out and it doesn't go very well for the ad blockers. People who want to bypass ad blockers have come up with generations of technology to cloak their intentions and hide what your browser is actually talking to (which means that they're willing to lie about it). The current apex of this which I'm aware of is getting clients to provide a DNS CNAME inside their domain that actually points to the ad provider, so the ad appears to load from 'yadda.customer.com' but is really loaded from you.

The broader capabilities of a program makes things even harder to deal with. Many programs these days make a periodic online check to see if a new version is available, so they can tell you about it. The contents of the communication that passes back and forth to do this are opaque to the host based firewall (and you), so the program is perfectly placed to smuggle whatever it wants to back and forth between it and home base. You're rather unlikely to block access to 'vercheck.company.com' for a 'version check', and if the company wants to push it, they can make this a mandatory online licensing check instead.

More broadly, the programs have the power in this situation, more so than web sites do. People invoke programs because they want to use them, and as a result people are highly motivated to stomp all over anything that gets in their way. If the host based firewall gets in the way of someone using a program they want to run, the host based firewall is going to lose. If the program says 'allow this or I fail', it gets allowed. If some part of the system nags too much, that part gets turned off.

That people just want their programs to work also means that a host based firewall asking you to approve connections is not a stable situation. It can work only when that's infrequent. The moment that more programs start legitimately making more outside connections (for update checks or whatever), the host based firewall's 'ask first' policy is on the way out one way or another.

tech/HostFirewallsLimits written at 21:46:29; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.