this post was submitted on 22 Sep 2023
66 points (98.5% liked)

Apple

17482 readers
59 users here now

Welcome

to the largest Apple community on Lemmy. This is the place where we talk about everything Apple, from iOS to the exciting upcoming Apple Vision Pro. Feel free to join the discussion!

Rules:
  1. No NSFW Content
  2. No Hate Speech or Personal Attacks
  3. No Ads / Spamming
    Self promotion is only allowed in the pinned monthly thread

Lemmy Code of Conduct

Communities of Interest:

Apple Hardware
Apple TV
Apple Watch
iPad
iPhone
Mac
Vintage Apple

Apple Software
iOS
iPadOS
macOS
tvOS
watchOS
Shortcuts
Xcode

Community banner courtesy of u/Antsomnia.

founded 1 year ago
MODERATORS
 

The firewall bug in macOS 14 Sonoma betas and release candidates that we blogged about last week has been fixed by Apple.

Yesterday Apple released macOS 14 Sonoma Release Candidate 2 (23A344). This version no longer exhibits the invalid firewall rule evaluation that we observed in the earlier release candidate and betas (starting from beta 6). This also means that our VPN app now works fine in latest Sonoma. Why we were affected

Our VPN app is what we call a privacy preserving VPN client. This means its main purpose is not just to establish a tunnel and make sure it works, but also to ensure there are no leaks and no ways to de-anonymize the user.

To uphold the privacy preserving aspect, we do not think it is enough to solely rely on the routing table or Apple’s content filter provider API for making sure traffic that is supposed to go in the VPN tunnel actually does. Because doing so leaves numerous potential leaks, for example this one [link in blog post] that was introduced in Big Sur. At Mullvad we believe in adding as many safety layers as possible. Denying unwanted traffic at the firewall layer is an obvious design choice for us.

The firewall bugs we saw could only be observed if the rules contained the quick option, meaning they terminate firewall rule evaluation early. Without quick, all network traffic will be evaluated by subsequent rules and anchors injected by Apple or other software on the computer. We see this as a potential risk. While it might be possible to write firewall rules for a VPN without quick, we want our rules to be as final as possible, for security.

top 3 comments
sorted by: hot top controversial new old
[–] dinckelman@lemmy.world 9 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not using Mullvad, but my VPN client was having the same issue. Glad to hear it's fixed

[–] cod@lemmy.world 2 points 1 year ago

I do use Mullvad, and I’m Mullglad to hear it’s fixed too

[–] atthecoast@feddit.nl 5 points 1 year ago

Great that it’s fixed, I do think public exposure in Hacker News has helped!