Comment 3 for bug 1559455

I appreciate your effort here, but I don't think an internet firewall is the right approach. Nobody actually knows which websites or internet addresses they can trust or not. For one thing, even benign websites might get hacked, spilling your data to a malicious third party.

To be clear, I'm not trying to solve the problem of untrustworthy websites. I'm trying to address the unnecessary provision of network access.

In my design, there would not be any popups, other than perhaps a display-once dialog just to inform the user of the existence of the feature. Any attempt to access the network would simply result in an error, similar to an error that would be generated when accessing a file without permission.

For example, my calculator does not need to connect to the network. I don't care if it has a bug because I can download a new version to fix it. Yes, it would be somewhat easier for me if the calculator updated itself from its home on the web, but allowing this to occur is not worth the risk that it's either incompetent about security or downright malicious. A network disconnect switch in the corner of the calculator (probably on its title bar) would be all that's necessary. (This button would not be visible to or controllable by the calculator itself.) The state of this button would be remembered across launches.

If you don't like the idea of a button, you could have an "app firewall" as opposed to a normal internet address firewall. You could allow the user to blacklist or whitelist apps, as opposed to internet addresses. This method would not involve user interface changes. By default, all apps could be whitelisted so users who don't care about security could just have things work as usual. This is undesirable from a security perspective, but it's probably necessary from a marketing perspective.

I suppose that part of the implementation problem is that obtaining network access is very similar to obtaining file system access, so there is no "open network" call that you can just block. (Well, if there is, then block it.) However, you could look at the file being requested to see if it starts with "http" or "ftp" in some mix of letter cases, for example. I'm not sure which specific OS functions are involved, but I assume that's well known.

This is not intended to be airtight. You have based your OS on Ubuntu's broken codebase, and conduct updates via HTTP, so there's no realistic hope for that. The point is just to kill as many backdoors as possible with as little effort and development time as possible. Sophisticated malware will still get in.