Someone created a similar extension for chrome called little rat[0], it needs to be installed in developer mode bec chrome doesn’t allow extensions to interact with each normally.
I was using a similar extension which whitelisted / blacklisted IP addresses in Chrome. I had it set to blacklist my home IP, which I paired with an in-browser VPN app. Since Chrome's latest extension update (about 3 weeks now?), I've had Chrome send requests to pages which were open before the extension loaded, leaking my IP. I assume similar issues could happen extension-to-extension, so this shouldn't be used for any privacy-related reasons - can't trust a Chrome extension to block 100% of anything.
I haven't used little snitch in nearly 15 years...
I love all the security focused apps that objective-see puts out, and they have a Little Snitch equivalent "LuLu".
Then you don't have control or visibility over Apple or third-party apps sending analytics likely without your approval.
LuLu has a fatal flaw: it drops or closes TCP connections randomly resulting in dropped SSH sessions. No amount of TCP keepalives on the client- or server-side will resolve this. This makes it a non-starter for anyone doing anything real.
Also good:
- BlockBlock - disk access application "firewalling" on top of macOS'es privacy & security settings is very good
- RansomWhere? - ransomware process mass file change interception
I currently don't have a Mac, but could we do an MITM inspection to see what is requested and responded?
Since this is a Google domain I wonder if Apple pins the certificates.
I am currently battling a bug on iOS where blocking mask.icloud.com & mask-h2.icloud.com leads to Mail 'checking for email' for a long time. But I can't inspect what is requested. And supposedly, this is the way to prevent iCloud relay: https://developer.apple.com/icloud/prepare-your-network-for-...
It's been some time since I have used Little Snitch and I never really got all that deep into it, so what I am thinking may already exist.
It would be nice if you could import a text or config file of standard things to allow/block. A general format that people could post, fork, edit, their own variations. Something akin to stevenblack/hosts providing a base list of hosts to block but the list is categorized as well as could be customized.
Another, probably better example, is something that could be saved in a dotfiles repository. You can share it with others but also if/when you need to setup a new computer, you don't have to start have completely fresh with Little Snitch.
I use this. The first week was weird and scary until I had accepted the rules I needed for my daily usage, now it's been weeks since it's said anything (and I had to check that it was still running but it is).
E.g. running the android emulator was enlightening :-S
I had thought that maybe it was pre-warming a connection so that when the user searches for something, it saves a network round trip and seems faster, but probably not if it’s to a static domain.
Interesting! I see this not so much as a feature people would use to make their own rules but a good feature for those creating lists of rules, like in this case "Un-Google my Mac"
> Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
Declining terms of service will affect the outcome so it can't be considered "freely given consent".
Little Snitch is awesome, but i had to stop using it at version 5 because it can no longer be installed into a subfolder of the Applications folder.
Mac apps are supposed to be usable from any location (even outside the /Applications/ folder) and i have used hundreds of apps from /Applications/_Apps/ since the Mac OS X Public Beta in 2000 without issue.
Little Snitch >= 5.0 is the only one having problems here, despite supposedly being a "real native Mac app". what gives?
I think it might be a security thing. The Mach kernel uses full file paths at the heart of the system. They may be relying on Apple maintaining the Application folder integrity. If that allowed running from other locations it becomes harder to insure the integrity of binary running.
That seems like such a bizarre restriction imposed by the app developer. They must have gone out of their way to stop this, because every application on my system can run from pretty much anywhere on my filesystem.
It's as if a Windows developer decided their program should only be runnable from a directory under "Program Files". So weird! Do they provide an explanation on their web site for the change?
- Typically third party apps require admin passwords to update when in the applications folder which is a pain for non admin users.
- Sometimes it is nice to put apps in a users applications folder so other users do not have access (do not have other users games cluttering launchpad).
- Sometimes you just want to put your utilities in the utilities folder.
IMHO the best way to do this is to install apps in the Applications subfolder of your user directory. When you do this, Launchpad and everything else treats them as if they were installed in the /Applications folder, but it's still trivially easy to tell what you need to migrate to a new machine.
on Sequoia, it's already separated. Apps shipped as part of the OS live in /System/Applications, and stuff you install (however you do it) are in /Applications.
I think for the average user it's more of a remnant of NeXTStep. It is galling that Little Snitch doesn't let you use a supported feature; but I think Apple doesn't really care about ~/Applications any more, since they "solved" it w/ the Applications and System/Applications "split".
if Safari needs to use google as a search engine they (Google/Apple) might want to be able to track how many attempts were made vs successful, or to make sure its up and available (its never down right?), and I'd guess this check is a way to achieve that.
Considering that the relevant preference key is WBSOfflineSearchSuggestionsModelLastUpdateDateKey, and the check occurs exactly once a week, your guess seems wrong.
if Safari needs to use google as a search engine they (Google/Apple) might want to be able to track how many attempts were made vs successful, or to make sure its up and available (its never down right?), and I'd guess this check is a way to achieve that.
As a Little Snitch user, I'm glad to be able to tell both Apple and Google "None of your business."
It's a simple little phrase that used to be very common, but people seem to have forgotten it over the last 30 years.
> The trick is to use "via" in the Little Snitch rule. When you're creating the rules, enter the full file paths of the two processes, separated by "via".
I wasn’t familiar with using ‘via’ in rules in LittleSnitch either.
Whenever I do ‘brew update / upgrade’, I do often get a whole bunch of alerts about connections, such as: ‘git’ / ‘curl’ via Terminal wants to connect to GitHub.com / githubusercontent / whatever.
Now, I don’t want to blindly give permission to all future curls/git issued from Terminal since that’s huge in scope. But I’m ok with all direct brew commands hitting certain endpoints.
Perhaps this is a solution for me, I’ll check it out, trying to make rules for ‘curl’ via ‘brew’
It's amusing to hear of a software developer just beginning to block ssl.gstatic.com in 2025 when other folks have been denying access to ssl.gstatic.com and various other unnecessary domains for many years, years before Little Snitch even existed. The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not. Funny.
Little Snitch was first released in 2003. Unfortunately, your comment is a stereotypical example of the worst of Hacker News, both condescending and ignorant.
In any case, it's unclear exactly which version of Safari and/or macOS started the specific behavior noted in the blog post. Moreover, as the blog post also notes, it's problematic to deny ssl.gstatic.com across the board, because that causes website breakage.
> The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not.
This is a gross mischaracterization of the blog post, the title of which literally starts with "Little Snitch feature". I'm certain that nobody knew about the feature (matching an associated process with "via"), because the Little Snitch developers themselves weren't aware of it until they reviewed the implementation.
Correction: Little Snitch was first released in 2003. The domain gstatic.com has been in use since at least 2008. It appears that Little Snitch was first mentioned on HN somewhere around 2013. This blog appeared somewhere around 2007 the same year than HN launched. To be sure, no one was blocking ssl.gstatic.com before Little Snitch existed, i.e., pre-2003, because the use of the subdomain began about 5 years after the software was released. Apologies for the error and thank you for the correction.
Little Snitch has remained closed source for over 23 years. As such, there will always be things about it that its authors know that "no one else knows", unless they choose to share. Why this non-transparency might matter to some computer users is a question left for the reader.
Someone created a similar extension for chrome called little rat[0], it needs to be installed in developer mode bec chrome doesn’t allow extensions to interact with each normally.
[0] https://github.com/dnakov/little-rat?tab=readme-ov-file
I was using a similar extension which whitelisted / blacklisted IP addresses in Chrome. I had it set to blacklist my home IP, which I paired with an in-browser VPN app. Since Chrome's latest extension update (about 3 weeks now?), I've had Chrome send requests to pages which were open before the extension loaded, leaking my IP. I assume similar issues could happen extension-to-extension, so this shouldn't be used for any privacy-related reasons - can't trust a Chrome extension to block 100% of anything.
I haven't used little snitch in nearly 15 years... I love all the security focused apps that objective-see puts out, and they have a Little Snitch equivalent "LuLu".
Does anyone know if the same thing can be achieved with LuLu? https://objective-see.org/products/lulu.html It looks like it can but I haven't used it yet.
Then you don't have control or visibility over Apple or third-party apps sending analytics likely without your approval.
LuLu has a fatal flaw: it drops or closes TCP connections randomly resulting in dropped SSH sessions. No amount of TCP keepalives on the client- or server-side will resolve this. This makes it a non-starter for anyone doing anything real.
Also good:
- BlockBlock - disk access application "firewalling" on top of macOS'es privacy & security settings is very good
- RansomWhere? - ransomware process mass file change interception
- ReiKey - input interception monitor
- ProcessMonitor, DNSMonitor, FileMonitor, TaskExplorer, KextViewer, NetIQuette, Dylib Hijack Scanner, KnockKnock
- Oversight - webcam and audio hijack monitor (although I use ancient EOL Growl + Hardware Growl just to catch hardware events too)
- No longer useful or usable: Do Not Disturb, LuLu
Do any of these monitor or block screen capture and screen recording?
> OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
https://github.com/objective-see/OverSight
You can go to settings and then lists to put in your custom blocklists.
I currently don't have a Mac, but could we do an MITM inspection to see what is requested and responded?
Since this is a Google domain I wonder if Apple pins the certificates.
I am currently battling a bug on iOS where blocking mask.icloud.com & mask-h2.icloud.com leads to Mail 'checking for email' for a long time. But I can't inspect what is requested. And supposedly, this is the way to prevent iCloud relay: https://developer.apple.com/icloud/prepare-your-network-for-...
Do you have Protect Mail Activity or Hide IP Address enabled in Mail Privacy Protection Settings?
No. That's all disabled. In fact, after x minutes the mail comes in.
Also, I tried replying with NOERROR and NXDOMAIN. Neither work.
It could also be downloading the database of known malicious sites from Google Safe Browsing:
https://transparencyreport.google.com/safe-browsing/overview
No, that's safebrowsing.googleapis.com
It's been some time since I have used Little Snitch and I never really got all that deep into it, so what I am thinking may already exist.
It would be nice if you could import a text or config file of standard things to allow/block. A general format that people could post, fork, edit, their own variations. Something akin to stevenblack/hosts providing a base list of hosts to block but the list is categorized as well as could be customized.
Another, probably better example, is something that could be saved in a dotfiles repository. You can share it with others but also if/when you need to setup a new computer, you don't have to start have completely fresh with Little Snitch.
It does have this now, blocklists: https://help.obdev.at/littlesnitch6/concepts-blocklists
My guess was a favicon for the search window
What search window?
Is there a similar software for linux?
OpenSnitch
https://hn.algolia.com/?query=opensnitch&type=all
I use this. The first week was weird and scary until I had accepted the rules I needed for my daily usage, now it's been weeks since it's said anything (and I had to check that it was still running but it is).
E.g. running the android emulator was enlightening :-S
This looks similar, Safing Portmaster
https://github.com/safing/portmaster
I had thought that maybe it was pre-warming a connection so that when the user searches for something, it saves a network round trip and seems faster, but probably not if it’s to a static domain.
Interesting! I see this not so much as a feature people would use to make their own rules but a good feature for those creating lists of rules, like in this case "Un-Google my Mac"
If using Google Fonts without explicit informed consent is a GDPR violation then this surely is too?
You've probably agreed to that somewhere in the Terms Of Service and therfore gave consent
From what I've read online, that would not be enough.
According to https://gdpr-info.eu/issues/consent/
> Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
Declining terms of service will affect the outcome so it can't be considered "freely given consent".
It seems GDPR authorities don't think like that. There's probably a reason OP included "informed" in their comment.
off-topic rant mode on
Little Snitch is awesome, but i had to stop using it at version 5 because it can no longer be installed into a subfolder of the Applications folder.
Mac apps are supposed to be usable from any location (even outside the /Applications/ folder) and i have used hundreds of apps from /Applications/_Apps/ since the Mac OS X Public Beta in 2000 without issue.
Little Snitch >= 5.0 is the only one having problems here, despite supposedly being a "real native Mac app". what gives?
off-topic rant mode off
I think it might be a security thing. The Mach kernel uses full file paths at the heart of the system. They may be relying on Apple maintaining the Application folder integrity. If that allowed running from other locations it becomes harder to insure the integrity of binary running.
That seems like such a bizarre restriction imposed by the app developer. They must have gone out of their way to stop this, because every application on my system can run from pretty much anywhere on my filesystem.
It's as if a Windows developer decided their program should only be runnable from a directory under "Program Files". So weird! Do they provide an explanation on their web site for the change?
Have you tried emailing the developer? As the article says, that's what I did.
I shan't be denied my right to wildly speculate.
Does it work if you put it in the subfolder then symlink into /Applications?
Anecdote: This became a problem for me with several apps after installing Sequoia
How come you’re nesting?
- Typically third party apps require admin passwords to update when in the applications folder which is a pain for non admin users. - Sometimes it is nice to put apps in a users applications folder so other users do not have access (do not have other users games cluttering launchpad). - Sometimes you just want to put your utilities in the utilities folder.
wanted to keep 3rd party and 1st party stuff separate.
also makes copying all installed apps to another mac a 1-second thingie
IMHO the best way to do this is to install apps in the Applications subfolder of your user directory. When you do this, Launchpad and everything else treats them as if they were installed in the /Applications folder, but it's still trivially easy to tell what you need to migrate to a new machine.
on Sequoia, it's already separated. Apps shipped as part of the OS live in /System/Applications, and stuff you install (however you do it) are in /Applications.
What’s meant to go under /Users/<username>/Applications ? If I’m the only user of the machine is there a difference between that and /Applications ?
Looks like for me the only thing is Jetbrains IDEs installed themselves there hmm.
I think for the average user it's more of a remnant of NeXTStep. It is galling that Little Snitch doesn't let you use a supported feature; but I think Apple doesn't really care about ~/Applications any more, since they "solved" it w/ the Applications and System/Applications "split".
> NeXTStep
That was 30 years ago! Why should Apple stick to a decades-long rule?
if Safari needs to use google as a search engine they (Google/Apple) might want to be able to track how many attempts were made vs successful, or to make sure its up and available (its never down right?), and I'd guess this check is a way to achieve that.
Considering that the relevant preference key is WBSOfflineSearchSuggestionsModelLastUpdateDateKey, and the check occurs exactly once a week, your guess seems wrong.
if Safari needs to use google as a search engine they (Google/Apple) might want to be able to track how many attempts were made vs successful, or to make sure its up and available (its never down right?), and I'd guess this check is a way to achieve that.
As a Little Snitch user, I'm glad to be able to tell both Apple and Google "None of your business."
It's a simple little phrase that used to be very common, but people seem to have forgotten it over the last 30 years.
> The trick is to use "via" in the Little Snitch rule. When you're creating the rules, enter the full file paths of the two processes, separated by "via".
Everyone who has used homebrew knows this one.
Well, here's me, so not everyone.
Was this supposed to be a joke? It's not a good joke.
Not OP, but don’t think so ?
I wasn’t familiar with using ‘via’ in rules in LittleSnitch either. Whenever I do ‘brew update / upgrade’, I do often get a whole bunch of alerts about connections, such as: ‘git’ / ‘curl’ via Terminal wants to connect to GitHub.com / githubusercontent / whatever.
Now, I don’t want to blindly give permission to all future curls/git issued from Terminal since that’s huge in scope. But I’m ok with all direct brew commands hitting certain endpoints. Perhaps this is a solution for me, I’ll check it out, trying to make rules for ‘curl’ via ‘brew’
It's amusing to hear of a software developer just beginning to block ssl.gstatic.com in 2025 when other folks have been denying access to ssl.gstatic.com and various other unnecessary domains for many years, years before Little Snitch even existed. The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not. Funny.
> years before Little Snitch even existed
Little Snitch was first released in 2003. Unfortunately, your comment is a stereotypical example of the worst of Hacker News, both condescending and ignorant.
In any case, it's unclear exactly which version of Safari and/or macOS started the specific behavior noted in the blog post. Moreover, as the blog post also notes, it's problematic to deny ssl.gstatic.com across the board, because that causes website breakage.
> The author confesses he did not know about his web browser phoning home to ssl.gstatic.com but titles his blog post about Little Snitch with the phrase "that nobody knows about" insinuating that he now knows about something that others do not.
This is a gross mischaracterization of the blog post, the title of which literally starts with "Little Snitch feature". I'm certain that nobody knew about the feature (matching an associated process with "via"), because the Little Snitch developers themselves weren't aware of it until they reviewed the implementation.
Correction: Little Snitch was first released in 2003. The domain gstatic.com has been in use since at least 2008. It appears that Little Snitch was first mentioned on HN somewhere around 2013. This blog appeared somewhere around 2007 the same year than HN launched. To be sure, no one was blocking ssl.gstatic.com before Little Snitch existed, i.e., pre-2003, because the use of the subdomain began about 5 years after the software was released. Apologies for the error and thank you for the correction.
Little Snitch has remained closed source for over 23 years. As such, there will always be things about it that its authors know that "no one else knows", unless they choose to share. Why this non-transparency might matter to some computer users is a question left for the reader.
https://xkcd.com/1053/