Examples of whitelists or blacklists
In IT there are many areas of application for whitelists and blacklists. Here you will find some “technical” examples:
- Spam filters offer the possibility of entering IP addresses, e-mail addresses or domain names of senders on a whitelist to protect their e-mails from being rejected or sent to a junk mail folder.
- Firewalls use whitelists or blacklists.
- Content management systems offer possibilities to block or release commentators and manage them in lists accordingly.
- Adblockers have features to allow ads from defined sources.
In addition, companies have individual lists that do not lead directly to a technical “block”, but must be checked by organisational measures – e.g. by taking inventory:
- A list of suppliers with whom one cooperates.
- A list of programs that may be used in an area. Alternatively, this is also called an application whitelist.
- A list of products (smartphones, laptops, etc.) that employees are allowed to use for their work.
There are also numerous examples of whitelists outside IT:
- The Peta Deutschland e.V. lists various positive lists, e.g. for detergents and cleaning agents or food producers without animal testing.
- PHINEO – a non-profit analysis and consulting company for effective social commitment – awards a seal of approval. The aim is to promote non-profit organisations. Phineo explicitly points out that there is no blacklist of companies that have tried in vain to obtain the seal.
- The Central Committee of German Agriculture maintains a positive list for straight feeding stuff.
- And German federal authorities are increasingly conducting bidding competitions in which the winners end up in a pool of possible suppliers (in other words, on a whitelist), who are then asked for concrete offers when individual services are called up in an accelerated procedure.
The criteria for creating a positive list
As the various examples show, positive lists are used in many areas. Depending on the area and content, the criteria that lead to an organisation, products or services being positively listed vary, of course.Companies that want to do business with other companies, for example, may have to
- go through audits,
- provide supporting evidence,
- accept liability or warranty regulations,
- agree to terms of payment,
- guarantee reaction times,
- store source code in bank deposit boxes,
- or provide access to office space.
For application whitelists, for example, it might be necessary, to
- support digital signatures,
- use cryptographic hashes,
- restrict the execution to defined network areas,
- support monitoring of libraries, scripts, macros, browser plug-ins, add-ons, configuration files or registry entries
In practice, there are two procedures for Application Whitelisting:
- Using information from vendors that are considered trustworthy, supplemented by your own findings.
- The technical review of applications and, in the case of “clean” operation, the definition of a baseline.
The combination of both approaches should offer the greatest security.
It is advisable to version a whitelist so that it is clear to all parties involved from which date which version of the list is current and binding.