Blocking / Allowing based on certificates

Quite frankly, I doubt I would use such a feature, but I could see some benefit to globally allowing (or blocking) based on a publisher’s certificate.

I have a few people I provide support for and I have convinced several of them to buy Glasswire. I always have them turn on VirusTotal checking and instruct them on how to verify zero engines at VirusTotal have determined something is malicious before they allow a program to access the network.

But GlassWire can be pretty noisy, especially at the start.

I think it might be nice to have an option (off by default) that would allow all traffic for a given publisher’s certificate. For people I help, I would probably recommend they silently allow all traffic if the program is signed with Microsoft’s certificate (as long as it can be checked to make sure it is valid and not revoked).

Might be a little tricky in designing how people would select certificates they trust. But it might be something like, select and executable from a trusted vendor, and have GlassWire extract the certificate details.

As I said, I would not use this - especially for Microsoft - since I love to block their crap I don’t want like Photos (I know I can remove it, but it comes back twice a year with feature updates). But it could make GlassWire a lot easier to use for a general user.

Cheers, Chris

1 Like

@CTaylor

Thanks for your feedback.

I have also thought quite a lot about the “noisy” issue and I have thought perhaps we should add several options on install. One option shows all “new” connections, one option shows only a daily summary, and the third option shows no desktop notifications at all. We could implement this for Android and Windows both.

However, weirdly enough I don’t see a lot of complaints about the “new” notifications. Otherwise we would have changed it a long time ago probably.

For the certificates, I myself would use that feature a lot. I’d probably “allow all” but unsigned apps myself. As long as I’m still getting “new” notifications for ALL new apps then I’d feel safe with that setting.

Thanks Ken.

I would really go as far as allowing people to choose to allow connections with programs that are digitally signed by a user-chosen list of certificates, even on new apps.

I don’t know how many publishers I would recommend that friends allow - perhaps only Microsoft.

There is a slight danger;

  • a publisher could have their signing certificate compromised
  • the publisher could get infected with something and sign infected executables

Because of this, I would only recommend to people I support that they trust apps signed by a very select few publishers - ones I think probably do an exceptional job of maintaining a very clean environment and who I think know the importance of guarding their signing certificate.

I will start a new posting for another idea I have regarding automatic approval of apps to access the network.

Chris

1 Like

That is an interesting suggestion to add a certificate filter.

I usually deal with Glasswire startup “noise” after I do a clean install of Glasswire by enabling “Click To Block”, rather than “Ask To Connect”. I run it this way for a day or two, which gets most of the asking out of the way. Sort of a “training” period.

Then I review the list of apps in the Firewall tab that have accessed the net, and if there are any that I don’t like having access, I block them at that point.

Of course I do this knowing that I already have a clean system, where everything already had passed a VirusTotal scan. Blocking stuff at this level really only amounts to privacy protection rather than a security strategy.

I typically don’t install or execute any new software during this training period, so everything already on-board is a known safe app. I’m not sure if I would use this approach with a computer with a dubious or unknown security profile.

2 Likes

I do the exact same thing myself. :+1:

2 Likes

Good ideas! Thanks.

Chris

1 Like

Many of my average users who try out a firewall are frustrated by having fundamental Windows features trapped by the firewall. They have asked (and requested) “something” to permit Windows features to be automatically “allowed” through the firewall without any intervention by the user. There is an equal split among the users in wanting any notification at all for MS provided features or apps. Those that want a notification want only an informational entry that notes - upon the first use - that a “standard” Windows feature or MS application has been automatically “allowed” through the firewall and functions correctly, which from their perspective is precisely what they are expecting.

There is radically less concern regarding MS spying than there is regarding a rogue bad actor getting into the system and compromising personal identity information - or in particular - accessing financial data or breaching financial accounts. Average users comprise the overwhelming majority of the worldwide Windows user base and are simply not interested in “configuring” a firewall for Windows features that they “expect” to function. These users are not interested or, in may instances, capable of distinguishing between a white or black application…much less a “gray” application.

Automatically allowing certificate signed apps are a start at helping the average users. But, there are quite a few Windows features or services and MS apps that still fall outside that category - and that the average users expect to function. If a firewall states that it contains a feature that will automatically allow certificate signed features and apps through the firewall, then those same users will likely not understand how to deal with an “Allow or Deny” popup that is flagging a just accessed “Windows” or “MS” app or service that wasn’t in the automatic allow list. This is a major hurdle for those users - keeping in mind that these users comprise the overwhelming majority of the user base. Thus, there is a major hurdle - or resistance - for acceptance of any firewall.

I strongly suggest that not only is an automatic allow option for certificate signed items implemented, but that an automatic allow option for all Windows and MS provided features, services, and apps be implemented. I understand that the more technically inclined users would likely never choose the latter option - but - that should not preclude providing such an option for the overwhelming majority of the Windows user base.

Selecting a blanket allow for all Windows and MS items does permit potentially greater telemetry transmission to MS. However, once again, while not “thrilled” with the telemetry, my users absolutely do not consider MS the threat. It is the concern for a third party bad actor gaining phoning home invisible access to their data that is their concern.

Ken - I strongly encourage the provision of “options” that make it possible for the average user to realize the security, protection, and monitoring benefits of Glasswire. While your program is wonderful as it is, it is not something that I can successfully interest very many average users in utilizing - nor any other firewall for that matter. While there is no true set and forget…one can offer options that at least match the telemetry permission level (tolerance) that the user “accepted” (knowingly or not - it is in fact accepted) when their Windows account was installed on their computer. At the very least, this would permit matching firewall performance to the users experience with the performance of Windows itself.

…just my thoughts…for helping frustrated users…

1 Like