Why do firewalls have to be such a PITA?

I’m in a ranting mood today, so it’s the perfect time for me to complain about the state of firewalls.  Specifically, about how they’re an incredible pain for desktop developers and support technicians to deal with.

Here’s the deal: every single time a new version of FeedDemon is released, we get complaints that it no longer connects to the Internet.  And every single time the culprit has been a firewall which silently blocks the new version.  Now, I can certainly understand why a firewall would warn the user that an executable has changed – it should do that – but I fail to understand why it would block a changed application without informing the user.  As far as the end user is concerned, the application just doesn’t work.

Even worse is that some software firewalls continue to block applications even after they’ve been disabled.  So savvy end users who disable their firewall in an attempt to determine whether it’s blocking an application are led to believe that the firewall isn’t the problem, so it must be the application’s fault.  And unbelievably, we’ve even seen ZoneAlarm continue to block applications despite the fact that it has been uninstalled (figure that one out, folks)!

This is so clearly insane that I have to think it’s on purpose, like it’s part of a vast Web 2.0 conspiracy to get people to stop using desktop applications by making them impossible to support.

OK, so maybe that’s a stretch, but visit the support forum of any desktop application that connects to the Internet, and I’ll bet you’ll find people complaining that they upgraded to the newest version of the application and now it won’t connect.  This situation is wasting countless hours for end users, programmers and support staff alike.

Surely firewall developers can do better than this?

15 thoughts on “Why do firewalls have to be such a PITA?

  1. I don’t use any third party firewalls – they are all causing problems. I do have a hardware firewall on my home/work network. ZA is particularly well known for causing problems…

  2. ZoneAlarm is just a big steaming pile of crap however you look at it.
    I much prefer to rely on a hardware firewall than software hacks that interfere with my freedom to use my machine while not guaranteeing they’ll never be disabled by a rogue virus.

  3. The problem with blaming it on Web 2.0 is that Firefox suffers the same fate, to the extent that I’ve seen at least one bug on having a special error page for a connection failure trying to load the first-run page, which will say “Your firewall is being lame.”

  4. I agree that most application firewalls are a complete PITA. However, I can also see this from the other side – as the guy that has to clean up the mess when a user gets infected with malware.
    I’m not trying to be a firewall apologist, but it seems to me that ultimately the users are to blame here. App firewalls are doomed to fail because users hate popups and are trained to ignore them or do whatever they can to make them go away. The more the firewall pops up windows, the more they desensitize the user. In the ZA case specifically, I thought that the icon sat there and blinked in the tray until you specifically allowed the changed executable. (Admittedly, I haven’t used it in years, so maybe it doesn’t do that any more.)
    Yet again, it comes down to user education. You have the Nielsons and Spolskys of the world that tell you that the user will never be educated, but I think that way lies insanity. If a person doesn’t understand what a firewall is doing, how are they going to be protected by it?

  5. Rick, I respectfully disagree. I don’t think for a moment that users are to blame here. They (we!) shouldn’t have to know how firewalls work, and they shouldn’t have to deal with firewalls silently blocking their applications.
    IMO, it’s things like this that make computers so frustrating for non-tech users.

  6. We’ve got exactly the same problem with each new version of Opera. It’s a tiny percentage of upgraders – at least when counting the ones that reach the community support channels…
    I’ve never experienced the issue myself (McAfee Firewall active) – it might be that people simply forget to click ‘OK’ on the warning that pops up. I’ve never tried *not* clicking on the dialog, maybe it blocks automatically after some time? Or people mis-click. I’m not blaming the users, the firewalls might try to become a little bit smarter to prevent these accidents.
    ZoneAlarm used to be a problem indeed – disabling didn’t *really* disable it. But it looks like we get less problems related to ZoneAlarm. Hopefully the program isn’t used as much anymore.

  7. I agree that silent blocking is unacceptable. The main problem with firewalls and user alerts is that 99% of the people have no idea what the alert means so they just click “Allow”.
    MS took a lot of heat for configuring the XP firewall to allow all outbound connections. Their rationale was that most people are going to allow everything anyway so why bother them. I have to agree with them on that one. Your regular home user isn’t going to recognize an obscure filename as some form of malware.
    I used to use a Norton firewall on my old machine, but when I got my new XP box I’m just using the XP firewall behind a NAT router and I’ve had no problems.

  8. I feel bad to have precipitated Nick’s post; a couple of weeks ago I was complaining in the NewsGator forums about FeedDemon not being able to connect, and it turned out that I had uninstalled ZoneAlarm before installing an updated version of FeedDemon.
    The only fix turned out to be reinstalling ZoneAlarm – how crazy is that?
    I wonder if there were others that have had the same problem?

  9. Hi Nick,
    I feel your pain. I’m in the same situation as you are – only that it’s even worse. In your case, it’s about an application for a user that generally knows what the internet is and how it works. Also, most of the time, FeedDemon is installed by the user himself.
    The battles I’m fighting is about a tool reading a barcode scanner, allowing the end user to quickly order products at his distributor (food for restaurants for example).
    Now, these users basically have no idea how the internet works or what the interenet is. The application is installed on their client and it’s made sure that it works.
    But then they read some strange article in dubious publications that usually have articles like “500 secret XP tuning tips” and such. And these publications make them install tools like Norton Internet Security.
    And especially NIS is deadly for any internet application already on the PC as it’s default setting is to block all applications not on a list authorized by Symantec – good luck getting your tool there if you aren’t a big vendor.
    Sometimes, people actually turn that off and switch it over to “ask everytime”. Then they permit our application to access the internet and after that they call the support line.
    Firewalls are a good thing, but I’m not that sure about personal Firewalls installed on PCs of people that have no clue of computers or the internet.

  10. Well said, Nick.
    In my opinion most of the firewall and some of the anti-spyware solutions cause more problems than they solve.
    I’m not against firewalls or anti-spyware conceptually, and I’ve chosen and use products in both categories, but some of the popular examples out there are just crap. They absolutely should not silently block or, in some cases actually kill, a program. There’s no reason not to inform the user of this. If the user wants them to be *silently* blocked then the programs would have to be routinely connecting to the internet (else why would the odd warning message be bothersome?) which means that either the user doesn’t trust the program at all or they’re doing something dodgy like running a pirate version and afraid it’ll reveal that when it checks for updates or whatever. If the program is untrusted to that level then it should be uninstalled. (Ditto if it’s pirated.) So what use is a silent block or kill?
    I help out on the support forum for a file manager and we’ve even seen cases where a firewall silently kills the program because it has the audacity to run another program. WTF is that about, executables run other executables all the time; it’s not something you should routinely and silently block. Block particular executables (like format) maybe, but even then a message to alert the user would be better. If something is doing something dodgy then I want to know about it so I can either authorise it or uninstall the program that is behaving suspiciously.
    The defence that users can configure the firewalls to not cause these problems doesn’t wash with me. These programs are aimed at general users, not power users. They’re supposed to make life simple for people who probably don’t know that much about how computers work. Anyone who does know a lot probably wouldn’t chose such a program in the first place. They cause more harm than good.

  11. GNC-2006-12-01 #221

    Last chance to win a copy of Dragon Naturally Speaking act fast see bottom of page! This show is LOADED from one end to the other with a technology content with some major soapbox time. Vote for us at Podcast…

  12. It seems that firewall developers can’t do better than what we saw. What we need are developers with Nick’s approach on developing software. Nick: I’m still using HomeSite and will continue using it in 2007. You have created a Landmark piece of software. You did it again with TopStyle and again with FeedDemon.
    Maybe one day you’ll find the time to develop THE firewall solution? It is like in the real world: 1% of criminals keep a whole security industry busy. So if you enter the computer security business, you won’t be running out of work.

  13. The problem with all software firewalls on XP and before is that they need to patch the Windows kernel to work. Most of the “security suites” also do this for many of their other functions. Why? Because they can. Do you want to work on a machine with a kernel patched by some third-party company, for their own aims? I didn’t think so.
    The 64-bit version of Vista will allegedly have kernel patch protection (PatchGuard) but this too won’t be a real deterrent until they link it to a hardware lock.

  14. Sig mig, bruger I slet ikke jeres computer?

    Okay, jeg kunne ikke lige finde på en passende overskrift, men det her indlæg handler om noget jeg virkelig undrer mig over, nemlig folk der konstant geninstallerer deres computer. Jeg forstår det simpelthen ikke! Jeg kan fint forstå glæden ved en helt ny

Comments are closed.