DSD27

Level 5
All depends to your needs...
Windows Firewall Control (by Malwarebytes) offers pop-up notifications of any outbound connections to the web, but instead TinyWall doesn't using popups at all, you need to whitelist manually or using first "learning mode".
Malwarebytes Windows Firewall Control also has a learning mode that disables notifications for all programs that don't have a digital signature.
So both add outgoing block/filtering to the native firewall, so basically are the same... both are small, maybe Tinywall uses less Ram.
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Malwarebytes Windows Firewall Control also has a learning mode that disables notifications for all programs that don't have a digital signature.
So both add outgoing block/filtering to the native firewall, so basically are the same... both are small, maybe Tinywall uses less Ram.
Correct, but Tinywall has no notifications by design.
Is slightly more complex for an unexperienced user.
 

DDE_Server

Level 21
Verified
No, you said it works silently in the background. Blocking everything isn't exactly "working", it just blocks everything. It's you who have to do all the work.
There's also an option on Windows Firewall Control do disable all notifications. The differences must be somewhere else....
No it is default rule to block everything except some predefined rule created by tiny wall in windows firewall rules you should whitelist every process or executable needed one by one .or just use learning mode for first time .you misunderstood my pharse "working silent " I'm mean by default block all which mentioned in its documentation
I installed TinyWall and now I cannot access the internet. What happened?
Upon installation TinyWall locks down your PC such that no network communication may take place, except for a few known applications. If you experience connectivity problems in some programs, use one of the "Whitelist by ..." options in the tray menu to unblock specific applications. Also be sure to check Manage->Special Exceptions if you need anything enabled there.
read this from FAQ from the official site from the following link:
 
Last edited:

security123

Level 23
Verified
The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that :)

Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:
SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3

SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
 

DDE_Server

Level 21
Verified
The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that :)

Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:
SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3

SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
This is new info for me thanks alot @security123
 

silversurfer

Level 63
Verified
Trusted
Content Creator
Malware Hunter
TinyWall Changelog

3.0.4 - Maintenance release (26.04.2020.)
- Make language changes take effect without a GUI restart
- Handle WMI errors gracefully in service
- Wait longer for service availability after loading desktop
- Avoid harmless exception being logged during system shutdown
- Prevent opening the Manage window when other windows are active
- Fix wrongly positioned GUI elements in Dutch and Russian localizations
- Fix potential race condition of UI timer during exit
- Fix traffic rate text ignores selected GUI language
- Updated Russian and Spanish localizations

 

ultim

Level 2
The download link on your homepage use HTTP instead of HTTPS! manually changing the link works, but normal users doesn't know that or forget it.
You should fix that :)

Also you better replace the MD5 and SHA1 checksum with more secure ones, as both are already broken.
SHA512 is best but SHA256 is still ok.
Here the checkum values for both:
Code:
SHA256: 48a3ae91f00231d199628932e09697e591db4c6d037d585a8a964a1fd4dd15e3

SHA512: 808ea899e4d2eb567c5499724b05fb1ae425b4f89a6824e9019e79793c854dfc954df23298e091eeb23bd132862f6179700a07ffe598b608855aab616065f985
Hi, sorry for the late reply.

Both of your warnings are incorrect. You cannot even access the website over HTTP or any of its files at all. All HTTP access is automatically upgraded (redirected) to HTTPS by the server, so it doesn't matter what format the links are in. I challenge you to download TinyWall from its website over an unencrypted connection, you cannot (and I haven't changed anything, this has been like this since many years).

As for the hashes, these are used for file integrity verification and not security purposes, and MD5 and SHA1 are perfect choices here due to their compatibility and speed. Using hashes on the webpage for security purposes would be pure nonsense because if the downloads were compromised or replaced by an attacker, they can also replace the hashes on the download page. So it doesn't matter how secure the hash functions are, *any* download hashes distributed on a webpage are insecure by nature. Choosing a cryptographically secure hash and then publishing it on the webpage to verify the authenticity of the download would be like buying the most expensive and secure lock for your house, and then hiding the key to it under door mat outside - it only gives a false impression of security without any benefit.

To verify the authenticity of the download (to make sure it has not been replaced by an attacker) you always have to look at the digital signature of the downloaded file. Digital signatures are the only valid and secure method for this purpose. Of course, TinyWall comes digitally signed, so there is no problem here either. And the signature hash algorithm is SHA-256, so it is secure as it should be.

In other words, none of the points you brought up need addressing.
 
Last edited:

ultim

Level 2
@ultim
is there any way to whitelist certain domain or server connection i Tinywall :unsure: :unsure: ??
for example i want to whitelist my get hub repository link so i could push/clone it through pycharm IDE
as you could see clone failed although pycharm executable/processes are whitelisted
View attachment 237950
Not currently, unfortunately. You can create rules based on application identity, protocols and ports, but not based on domains or IPs. The git clone in your screenshot failed for another reason though. You whitelisted pycharm, but the clone is probably made by git's own process, not by pycharm, so pycharm's rule does not apply to the cloning process. The easiest solution in this case would be (possible in TinyWall since 3.0) is to edit the pycharm rule and tick "Apply same rules to child processes".
 

security123

Level 23
Verified
Both of your warnings are incorrect. You cannot even access the website over HTTP or any of its files at all. All HTTP access is automatically upgraded (redirected) to HTTPS by the server, so it doesn't matter what format the links are in. I challenge you to download TinyWall from its website over an unencrypted connection, you cannot (and I haven't changed anything, this has been like this since many years).
I need to be more accurate next time..
I mean the link to your program:
tinywall-download-http.jpg
As you can see, the download link go over HTTP (http://tinywall.pados.hu/ccount/click.php?id=4)
The link to changelog use HTTPS.

MD5 and SHA1 are perfect choices here due to their compatibility and speed..
Using hashes on the webpage for security purposes would be pure nonsense because if the downloads were compromised or replaced by an attacker, they can also replace the hashes on the download page ..
MD5 and SHA1 are broken and shouldn't use anymore. It doesn't make a noticeable speed difference to generate SHA256 instead of MD5 & SHA1 nowadays.
Anyway of course hosting the checkum on another server is better. Maybe you can post that here
 

ultim

Level 2
I need to be more accurate next time..
I mean the link to your program:
View attachment 238410
As you can see, the download link go over HTTP (http://tinywall.pados.hu/ccount/click.php?id=4)
The link to changelog use HTTPS.


MD5 and SHA1 are broken and shouldn't use anymore. It doesn't make a noticeable speed difference to generate SHA256 instead of MD5 & SHA1 nowadays.
Anyway of course hosting the checkum on another server is better. Maybe you can post that here
No, I understood you perfectly, but it seems I didn't get my point about the link over to you. It doesn't matter that the link is http://, it will still give you an encrypted connection. Now, I'm still going to change the link to https just so that people like you don't get confused over it, but I'll leave it like this for a day or two to let you try it out and see for yourself. http:// or httpS:// doesn't matter on TinyWall's website, everything is over an encrypted connection.

MD5 and SHA1 are broken only as cryptographic hashes, but hashes in general have other applications too. You seem to be missing the fact that not all applications of hashes need to have cryptographically secure properties. Verifying download/file integrity is a perfectly valid and safe use even for "broken" hashes like MD5. As a counterexample, yes it would be very bad if MD5 was used as the hash algorithm for passwords or in TinyWall's digital signature, but those are different applications with different demands than the one on the website.

You are correct that hosting the hashes on a different server than the downloads (like, here) would improve their security. The problem with that is nobody would know about them and hence nobody would be able to check them, except for the few people coming to this thread. And no I cannot just link it from the download page, because again, if somebody can replace the download, then the link leading to the correct hashes will be also modified by the same attacker. Or I guess I could setup a separate secure fileserver for hosting only the downloads away from the website. Of course you are volunteering for maintenance and bearing the costs. EDIT: Actually that wouldn't help one bit either because then the attacker would just modify the hashes and the link to the downloads.

Please stop obsessing over the MD5/SHA1 on the download page, there is no good reason they need to be SHA-any-big-number. That would be actually worse, because it would give people a false impression of security. If you are really serious about the issue, you should get used to relying on download signatures instead of posted hashes. This is what digital signatures were made for, and there is a reason they exist.
 
Last edited:
Top