Whitelisting is the selection of trustworthy sources and applications in digital communications and IT security. A whitelist is a collection of data associated with people, businesses, or software products, and as trustworthy sources allow the delivery of emails, the execution of programs and apps, and the display of online advertising. Each data entry of the whitelist has the task of defining a sender, receiver, or a source as authorized access. The entirety of the record is then checked by a system (for example, user device, server or add-on). The goal is to permanently exclude defective software and spam and ensure the security of the system. Whitelisting is used extensively in email marketing, IT security, and online advertising - sometimes in combination with blacklisting.
In contrast to blacklisting which excludes certain resources, positive examples of trustworthy sources are used in whitelisting to provide access to a service, the display of an advertising medium or the delivery of email, and to exclude all other resources. This is also referred to as a default deny approach. All resources that are not on the whitelist are rejected. As a rule, a verification takes place with first-time registration in order to regulate the admission and access to the whitelist. The criteria to be included in a whitelist may vary greatly depending on the provider, organization, or software. You can distinguish between the following types of positive lists:
Email clients can be used to create a whitelist on the user side. The user maintains the whitelist by adding email senders manually. Most mail programs such as Mozilla Thunderbird, Microsoft Outlook or Apple Mail, offer such functionalities and filter possibilities. This is called client-side whitelisting. Filter criteria can be:
Within the framework of collaborations such as the Certified Senders Alliance, the Spamhaus Whitelist or the ReturnPath initiative, whitelists are used to regulate the distribution of newsletters, as well as to prevent disturbing advertising and phishing. The deliverability of newsletters within the framework of email marketing is ensured by the fact that the senders participate in the above-mentioned collaborations - whereupon an Internet service provider (ISP) allows the distribution of newsletters by an email service provider (ESP) with its infrastructure. The user can only prevent this type of email transmission with a blacklist in the email program.
In the areas of software, servers and advertising, positive lists are also used. The principle is similar, but application whitelisting is not necessarily implemented in such a way that the end user has access to it. The respective user device has this protection mechanism because the manufacturer or system administrator has provided this in the program and system logic. Or the user must install an add-on or plug-in on his device based on whitelisting and other protection mechanisms (for example, an advertising blocker). If an application is to be executed on a system, it is first checked whether the positive list contains it. If this is not the case, execution of the application is prevented. The following filter and test criteria are used for application whitelisting:
At the level of servers, IP addresses, domains or IP clusters, whitelisting is described as server-side whitelisting. Each Internet service provider (ISP) operates its own whitelist to allow trustworthy sources to access their own infrastructure. ISPs and ESPs are also partially cooperating with a particular type of data transmission. For IT infrastructures with high security requirements, whitelisting is used to protect against exploits as blacklisting is not an effective protection against attacks that have never occurred.
Whitelisting is a practice which is criticized by different parties, depending on the application. Two examples:
Whitelisting is practiced in online marketing in various areas to allow the reception of newsletters and the display of advertising or to increase the security of a system. Email marketing campaigns can implement both approaches to ensure the delivery of emails. Certain resources that are not intended to be advertised on are excluded, while other resources are preferred by whitelisting. This makes it possible to control the deliverability or the placing of ads. Functions such as frequency capping, double opt-in, and proven principles of permissions marketing should also be considered as part of such campaigns, so the sender or advertiser does not land on a blacklist. Similar best-practice examples apply to online advertising.