Whitelisting and Blacklisting
In software security, we often come across two ways of allowing or blocking resources.
- Whitelisting
- Blacklisting
In this context, a resource might refer to an application, a URL, a domain etc.
Whitelisting:
Whitelisting is a process wherein a set of resources are granted explicit access. For e.g., If we whitelist domains google.com and yahoo.com, then these two domains are always allowed by default.
Blacklisting:
Blacklisting is a process wherein a set of resources are blocked explicitly. For e.g., if we blacklist domains hacker.com and malicious.com, then these two domains are always blocked by default.
Also, a combination of whitelisting and blacklisting could be applied.
Whitelisting Vs Blacklisting:
Both of these approaches have pros and cons.
Blacklisting will help to defend against known malicious resources, but cannot defend against new malicious resources. For e.g., what if an application/domain which is extremely harmful makes its presence on a certain day and our blacklist will not have that information until it is known and explicitly configured. By that time, the damage would have already been done. Whitelisting on the other hand defends well against these types of new unknown resources.
Whitelisting, if not done properly, might interfere with the day to day working of users. For e.g., if some corner usecase of a known application needs access to a different domain than which is configured, then it might cause disruptions in regular work. However, a well-planned whitelist is always considered as secure.
Reference Use cases:
One use case of applying whitelisting and blacklisting is applying it for URLS in network layer tools. Another use case is applying it in an application for acceptable characters for input fields for protecting against attacks like XSRF etc. For instance, certain fields like name field or address field on web pages could be restricted to accept only certain characters (whitelist) and prevent special characters (blacklist).