Why Personal Firewalls Piss Me Off

2005-Mar-25, Marton Anka

I have a couple of retired parents and personal firewall software is a godsend for them. I thank the pioneers who invented them and wish all the best to the ZoneLabs founders with their millions from the Checkpoint acquisition.

I also work at a software company and dealing with software conflicts between our products and personal firewalls is a nightmare. Of course, our Tech Support is handling it, but with a few simple changes to how these "firewalls" work all our problems would go away. The fact that these changes are innocent and obvious, yet have not been made, makes me truly despise people who design personal firewalls.

Go figure.

Problem 1: Updates

If the user approves your software within his personal firewall, then everything works... until your software is updated.


Problem 1 illustrated


At this point the user is prompted to approve the software again, which is a nuisance at best. At worst, if the user turns on our "Automatic Updates" feature the software is updated automatically and will cease to function until it is approved again. The latter can be a huge problem if the computer is rarely within physical reach.

Solution 1: Digital Signatures

Authenticode(tm) has been around for ages. It does not take brains bigger than DVD Jon's balls to put two and two together:

If the user's approved a piece of signed code, and that code is updated but has a valid signature from the same manufacturer, then don't, for god's sake, don't prompt the user. That is:

    a) If a software has been updated and needs to be re-approved by the user

    b) ... and said software, when originally approved, had a digital signature with subject X

    c) .. and said software, when originally approved, had a valid digital signature where the signer's certificate had public key Y

    d) ... and said software, after it's been updated, has a digital signature with the same subject X

    e) .. and said software, after it's been updated, has a valid digital signature where the signer's certificate has the same public key Y

    f) .. then it definitely is the same software, from the same company, so the user is going to click Yes if he's around - do not prompt, please, do not prompt.


Alternatively, as all firewall companies are out there to make a buck, I'd even be willing to subscribe to a "partnership program" with each and every one of them.

Part of the program should entail software manufacturers getting one or more "Product Certificates" from the firewall company that they could use to create signed manifests for inclusion with their applications. This way the firewall software could positively identify the application in question, regardless of the version, and forego the dreaded "Changed Program" prompts.

Problem 2: 127.0.0.1

Why do personal firewalls have to insist on protecting the loopback connection? It is a virtual circuit present on the local computer only, and cannot be used to connect to the "Internet".

Problem 2 illustrated




Solution 2: Ignore It

As I said above: the 127.0.0.x network is strictly local in nature. There's no need to confuse the user and tell him that it's the Internet when, in fact, it is not. Granted, it is IP (Internet Protocol) based, but that's all there is to it.

It cannot be accidentally misused, it cannot be intentionally abused, it's just a virtual circuit that can only talk to entities present on the same virtual circuit...

They have one very significant use: We have to perform efficient and cross-platform (well, Win98, ME, NT4, W2K, WXP, 2K3) interprocess communication within our products. There are three possible ways of achieving an elegant solution:

    a) Named Pipes

    They work perfectly, but are not available in Win98 and ME, so they're a no-go.

    b) Anonymous Pipes

    They are supported on all operating systems, but are very restrictive in HOW they can be used. (No IO completion port support, complete lack of synchronization, etc.) They're a no-go.

    c) TCP/IP over the loopback connection

    It is supported on all operating systems, has a simple yet very flexible API. The IPC of choice, but then personal firewalls have to come and crap all over it.
Please fix this mess. Most personal firewall software out there is flawed when it comes to the loopback connection, with possibly the sole exception of Microsoft's Windows XP SP2 implementation.

Conclusion

From what I gather, excessive and unnecessary prompting of the user by a personal firewall is a bad thing - not only for ISVs but for the firewall manufacturer as well. (No wonder ZoneAlarm has "Want to have fewer alerts?" link on all their popups.) The above would eliminate a great deal of them, all while keeping things neat and tidy for software companies too.

We have more than one million users across our product ranges. I would put a notice on our product pages in a heartbeat recommending firewall software that supported both of the solutions proposed above.