Help with Firewall Settings macOS 15.5

I think what's confusing me is than if connections are already encrypted, then why are VPN's necessary at all…

That's pretty much the point. While there are still many older sites that aren't secure, if you go anywhere that would be considered a commonly used commercial site, they're already httpS. The connection is already secure/encrypted. A VPN only succeeds in uselessly encrypting the encryption.

Do VPNs have any use other than a direct encrypted tunnel? Some people use them to illegally confuse a site about where you really are. Like watching videos on a Canadian site from the U.S., where you would normally be blocked because it's not in your region. And a VPN can help to temporarily hide your location. Good for journalists in countries where getting arrested and disappeared for reporting the news is a real risk.

Other than that, VPNs are nothing but money makers for the people running them. They most definitely aren't for your benefit.

amd1 wrote:

Kurt Lang and MrHoffman thanks again for your replies.

I think what's confusing me is than if connections are already encrypted, then why are VPN's necessary at all - at home or at the office? The answer is probably in some of the links you shared earlier, which I will definitely ready as soon as I get a chance. I'd love to learn more about how all of this works, so at the very least, I can make some informed choices in the future.

Why would completely unnecessary second and poorly-implemented connection encryption in service of metadata collection be at all confusing?

There are two things called VPN.

The first thing called a VPN is an actually-useful and legitimate means to connect into a private network. The other thing called a VPN is a bad solution to a problem that hasn’t existed for a decade, but a bad solution perfect for metadata collection.

At some point, I suspect the legitimate VPN stuff will get renamed, though software defined networking (SDN) (e.g. ZeroTier, etc) may be that rename.

BTW, just looked up 'ODoh', as I'd not come across that term before - fascinating. I have a lot to learn! ☺️

A whole lot of the reporting on VPNs is allegedly funded by the “coffee shop” VPN providers themselves, too.

There have been (and are) vendors that paid for product reviews, too. Apple has cracked down on that in the app store, but problems do continue. There is advertising pushing VPNs right now that reeks of fraud, claiming to scan (falsely) and claiming to find malware (falsely), and offering a VPN as the solution. And VPNs don’t protect against what the advertising claimed (falsely) to find (falsely).

Add-on security products are often difficult to distinguish from actual malware. One of the better-known add-on anti-malware apps for Mac was caught and a fine (of what I’d consider an inconsequential sum) was levied for collecting and selling personally-identified web browsing and web purchasing data. Fined not because they collected and sold your activities, but fined because they didn’t bury the disclosure somewhere in their licensing agreement.

Much of the worst of tech is funded by hype and metadata collection, with AI being another notable example. The AI hype has been overpromising as most hype is wont, and unsurprisingly underdelivering on statistical corpora-based next-word guessing.

Kurt Lang wrote:

…And a VPN can help to temporarily hide your location. Good for journalists in countries where getting arrested and disappeared for reporting the news is a real risk.

I’d be exceedingly cautious there, as VPNs are easy to spot for entities with pervasive access.

Some regions will block them.

Others undoubtedly monitor them.

Governments and police providing “secure” communications for criminals happens, too.

I’d be exceedingly cautious there, as VPNs are easy to spot for entities with pervasive access.

Oh, most definitely. That trick isn't anywhere near as much help as it used to be. The article on why you shouldn't use a VPN states basically the same thing.

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

MrHoffman wrote:

At some point, I suspect the legitimate VPN stuff will get renamed, though software defined networking (SDN) (e.g. ZeroTier, etc) may be that rename.

That would be a very good idea.

At present those commercial add-on products are leveraging legitimate uses of a "real" VPN — one that is private and closed — for purposes that are often anything but.

What's the difference between a commercial VPN and a "man in the middle" exploit? For that matter, what's the difference between Chrome and a Trojan?

It's just a matter of perspective. Gaslighting continues to be a very effective marketing strategy. And there is no "truth in advertising" clause on the Internet.

John Galt wrote:

MrHoffman wrote:

At some point, I suspect the legitimate VPN stuff will get renamed, though software defined networking (SDN) (e.g. ZeroTier, etc) may be that rename.

That would be a very good idea.

At present those commercial add-on products are leveraging legitimate uses of a "real" VPN — one that is private and closed — for purposes that are often anything but.

Yep.

What's the difference between a commercial VPN and a "man in the middle" exploit? For that matter, what's the difference between Chrome and a Trojan?

The EULA.

It's just a matter of perspective. Gaslighting continues to be a very effective marketing strategy. And there is no "truth in advertising" clause on the Internet.

FIFY: «And there is [the] “no truth in advertising" clause on the Internet.» 😉

Governments and police providing “secure” communications for criminals happens, too.

I have every reason to suspect there are VPNs created by governments / NGOs. Almost certainly in the PRC, and I have no illusions that isn't the case here in the US as well.

That image doesn’t show that the connections are encrypted end-to-end independent to the use of VPN, and the part of the image that states “not encrypted” indicates no VPN encryption (or no doubled encryption), but the connection remains end-to-end encrypted.

The image also omits the metadata leak at the VPN server, given the VPN provider can match your identity to other your other uses of the VPN, as well as the ability to infer other details from the connections.

The VPN provider has as much (and quite possibly more) info than the ISP has.

Those VPN providers that expect users to install and trust a certificate can potentially see much more of your traffic.

Yes, but that's why I prefaced it with "very basic".

It really only applies if the site you're visiting isn't https. Which is fairly rare nowadays. Otherwise, much more common now (as you stated) the data between the user and the third party VPN is uselessly encrypted twice, and outbound side of the VPN is back to being encrypted once between your browser and the server/site you're visiting.

Either way, along with your other notes, a third party VPN has no use. At least, none that I can see.

amd1 wrote:

How do you know/how come the connection between the third party VPN and the server isn't connected? If the website the VPN is connecting to is https, wouldn't that be encrypted?

It is encrypted.

As MrHoffman explained,

That image doesn’t show that the connections are encrypted end-to-end independent to the use of VPN, and the part of the image that states “not encrypted” indicates no VPN encryption (or no doubled encryption), but the connection remains end-to-end encrypted.

... and as Kurt Lang explained,

Yes, but that's why I prefaced it with "very basic".

It's not a very good graphic, but it does illustrate the "man in the middle" nature of a third party VPN. Yes I do intend to conflate that description with a "man in the middle" attack, because there is no technologically meaningful difference between the two. You're effectively handing the keys to your Internet security over to someone saying "trust me" with a smile.

amd1 wrote:

…

How do you know/how come the connection between the third party VPN and the server isn't connected? If the website the VPN is connecting to is https, wouldn't that be encrypted?

Correct.

Connections using TLS (which includes web browsers using HTTPS) are encrypted end-to-end.

Apple has been requiring end-to-end encryption for App Store apps for a while.

Apple’s own apps use end-to-end encryption, and — such as the case with Safari — showing big warnings for unencrypted (HTTP) connections.

Where present, Apple has been removing other apps (e.g. ftp, telnet) that don’t use end-to-end encryption, requiring users to install those apps if needed.

Note that a privileged position can allow interferences about connections, which is why iCloud+ Private Relay and ODoH and the existing TLS end-to-end connections can be useful for privacy, and why the “coffee shop” VPN providers collecting those personally-identified inferences can be profitable while providing negligible added security benefit.

Going back to my original question for a moment; you've all recommended leaving the firewall off except for users who know what they're doing.

I am reluctant to characterize it in that manner only because it implies some people don't know what they're doing — which may be true, but it hints of arrogance.

I am willing to characterize the macOS application firewall as primarily a marketing feature though, so that clueless "IT Administrators" can ask if those Apple things have a firewall, and Apple can confidently and correctly answer in the affirmative: Yes it has a firewall. Next question.

There, I said it. "IT Professionals™" generally don't know what they're doing. I fired most of those I ever had the pleasure of meeting.

I'm wondering if there's any harm in having it on? Can it cause problems of any sort for the average user?

Sure, if you do anything with your Macs that goes beyond basic Internet use, printing, emailing, that sort of thing, it will only result in your own inconvenience when things don't work. Go ahead and turn it on, but you'll probably want to turn it off when it becomes a pain in the posterior.