- May 4, 2018
- 2,261
As Silversurfer stated, it all depends on what you're after. Tinywall is very light, 2MB install.
~LDogg
TinyWall Version 3 released! (Sept 2020)
- Thread starter ultim
- Start date
~LDogg
You can. If you don't use PiHole in your network, i would activate the lists.
- Apr 15, 2020
- 227
Malwarebytes Windows Firewall Control also has a learning mode that disables notifications for all programs that don't have a digital signature.
So both add outgoing block/filtering to the native firewall, so basically are the same... both are small, maybe Tinywall uses less Ram.
- Apr 24, 2016
- 7,256
Correct, but Tinywall has no notifications by design.
Is slightly more complex for an unexperienced user.
- Sep 5, 2017
- 1,173
but it is main purpose working silently in the background with out intrusive popups and notifications
- Apr 15, 2020
- 227
It doesn't popup intrusive notifications because it blocks EVERYTHING, you need to exclude every single program manually.
Last edited:
- Mar 29, 2018
- 7,613
It's up to you.
@DSD27 - You'll only know by reading more about each and seeing what suits you. They're both good firewall apps. WFC is simply a GUI for Windows Firewall. TW can be used with or without Windows Firewall.
Last edited:
- Sep 5, 2017
- 1,173
yes i know that was my reply i am already using it
- Apr 15, 2020
- 227
No, you said it works silently in the background. Blocking everything isn't exactly "working", it just blocks everything. It's you who have to do all the work.
There's also an option on Windows Firewall Control do disable all notifications. The differences must be somewhere else....
- Sep 5, 2017
- 1,173
No it is default rule to block everything except some predefined rule created by tiny wall in windows firewall rules you should whitelist every process or executable needed one by one .or just use learning mode for first time .you misunderstood my pharse "working silent " I'm mean by default block all which mentioned in its documentation
read this from FAQ from the official site from the following link:
Last edited:
The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that
Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:
SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3
SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
- Sep 5, 2017
- 1,173
This is new info for me thanks alot @security123The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that
Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3 SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
- Sep 5, 2017
- 1,173
@ultim
is there any way to whitelist certain domain or server connection i Tinywall ??
for example i want to whitelist my get hub repository link so i could push/clone it through pycharm IDE
as you could see clone failed although pycharm executable/processes are whitelisted
is there any way to whitelist certain domain or server connection i Tinywall
??for example i want to whitelist my get hub repository link so i could push/clone it through pycharm IDE
as you could see clone failed although pycharm executable/processes are whitelisted
- Aug 17, 2014
- 11,108
TinyWall Changelog
3.0.4 - Maintenance release (26.04.2020.)
- Make language changes take effect without a GUI restart
- Handle WMI errors gracefully in service
- Wait longer for service availability after loading desktop
- Avoid harmless exception being logged during system shutdown
- Prevent opening the Manage window when other windows are active
- Fix wrongly positioned GUI elements in Dutch and Russian localizations
- Fix potential race condition of UI timer during exit
- Fix traffic rate text ignores selected GUI language
- Updated Russian and Spanish localizations
3.0.4 - Maintenance release (26.04.2020.)
- Make language changes take effect without a GUI restart
- Handle WMI errors gracefully in service
- Wait longer for service availability after loading desktop
- Avoid harmless exception being logged during system shutdown
- Prevent opening the Manage window when other windows are active
- Fix wrongly positioned GUI elements in Dutch and Russian localizations
- Fix potential race condition of UI timer during exit
- Fix traffic rate text ignores selected GUI language
- Updated Russian and Spanish localizations
Download TinyWall
This is TinyWall's official download page. Get it free from here.
tinywall.pados.hu
- Oct 13, 2011
- 86
The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that
Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3 SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
Hi, sorry for the late reply.
Both of your warnings are incorrect. You cannot even access the website over HTTP or any of its files at all. All HTTP access is automatically upgraded (redirected) to HTTPS by the server, so it doesn't matter what format the links are in. I challenge you to download TinyWall from its website over an unencrypted connection, you cannot (and I haven't changed anything, this has been like this since many years).
As for the hashes, these are used for file integrity verification and not security purposes, and MD5 and SHA1 are perfect choices here due to their compatibility and speed. Using hashes on the webpage for security purposes would be pure nonsense because if the downloads were compromised or replaced by an attacker, they can also replace the hashes on the download page. So it doesn't matter how secure the hash functions are, *any* download hashes distributed on a webpage are insecure by nature. Choosing a cryptographically secure hash and then publishing it on the webpage to verify the authenticity of the download would be like buying the most expensive and secure lock for your house, and then hiding the key to it under door mat outside - it only gives a false impression of security without any benefit.
To verify the authenticity of the download (to make sure it has not been replaced by an attacker) you always have to look at the digital signature of the downloaded file. Digital signatures are the only valid and secure method for this purpose. Of course, TinyWall comes digitally signed, so there is no problem here either. And the signature hash algorithm is SHA-256, so it is secure as it should be.
In other words, none of the points you brought up need addressing.
Last edited:
- Oct 13, 2011
- 86
Not currently, unfortunately. You can create rules based on application identity, protocols and ports, but not based on domains or IPs. The git clone in your screenshot failed for another reason though. You whitelisted pycharm, but the clone is probably made by git's own process, not by pycharm, so pycharm's rule does not apply to the cloning process. The easiest solution in this case would be (possible in TinyWall since 3.0) is to edit the pycharm rule and tick "Apply same rules to child processes".@ultim
is there any way to whitelist certain domain or server connection i Tinywall
for example i want to whitelist my get hub repository link so i could push/clone it through pycharm IDE
as you could see clone failed although pycharm executable/processes are whitelisted
View attachment 237950
I need to be more accurate next time..
I mean the link to your program:
As you can see, the download link go over HTTP (http://tinywall.pados.hu/ccount/click.php?id=4)
The link to changelog use HTTPS.
MD5 and SHA1 are broken and shouldn't use anymore. It doesn't make a noticeable speed difference to generate SHA256 instead of MD5 & SHA1 nowadays.
Anyway of course hosting the checkum on another server is better. Maybe you can post that here
- Oct 13, 2011
- 86
No, I understood you perfectly, but it seems I didn't get my point about the link over to you. It doesn't matter that the link is http://, it will still give you an encrypted connection. Now, I'm still going to change the link to https just so that people like you don't get confused over it, but I'll leave it like this for a day or two to let you try it out and see for yourself. http:// or httpS:// doesn't matter on TinyWall's website, everything is over an encrypted connection.
MD5 and SHA1 are broken only as cryptographic hashes, but hashes in general have other applications too. You seem to be missing the fact that not all applications of hashes need to have cryptographically secure properties. Verifying download/file integrity is a perfectly valid and safe use even for "broken" hashes like MD5. As a counterexample, yes it would be very bad if MD5 was used as the hash algorithm for passwords or in TinyWall's digital signature, but those are different applications with different demands than the one on the website.
You are correct that hosting the hashes on a different server than the downloads (like, here) would improve their security. The problem with that is nobody would know about them and hence nobody would be able to check them, except for the few people coming to this thread. And no I cannot just link it from the download page, because again, if somebody can replace the download, then the link leading to the correct hashes will be also modified by the same attacker.
Please stop obsessing over the MD5/SHA1 on the download page, there is no good reason they need to be SHA-any-big-number. That would be actually worse, because it would give people a false impression of security. If you are really serious about the issue, you should get used to relying on download signatures instead of posted hashes. This is what digital signatures were made for, and there is a reason they exist.
Last edited:
For me, Edge block the download as I enable internal flag to disable unsecure downloads.
Maybe that's the reason but good that you're fix that in the end
