A whitelist shows data that specifically is allowed. All other data (not on the whitelist) will be filtered out or ignored. A whitelist is the opposite of a blacklist. - Whitelist - only these things. - Blacklist - everything but these things.
Questions tagged [whitelist]
70 questions
44
votes
5 answers
Is blocking a country's access to a website a good measure to avoid hackers from that country?
I am located in Venezuela right now, and for the whole weekend have been unable to access grubhub.com and seamless.com.
Finally, I tried using the Tor Browser and got access. The same thing happened in January when I tried to access the police…
Luis Arriojas
- 548
- 1
- 4
- 9
32
votes
4 answers
Can or should whitelisting replace encryption?
I've noticed that there is a third-party webservice we utilize programmatically at my job to transmit somewhat sensitive information and I was surprised to see that the endpoint was only using http, rather than https. Upon further investigation it…
beatsbears
- 475
- 4
- 8
11
votes
3 answers
White list or black list sanitation for international input?
There seem to be so many ways to create nefarious input that white-listing what input is good usually feels like the safer, simpler option.
For instance, one can fairly easily craft a white list regex that includes good things [a-zA-Z0-9], but…
jaketrent
- 213
- 2
- 6
11
votes
1 answer
How to whitelist an Amazon ELB in a(ny) firewall?
We have a customer with a very locked-down network. Any outbound connections require whitelisting of the port and IP address.
However, we are running our system behind an Amazon Elastic Load Balancer (ELB). That means that the IP address of the ELB…
Peter K.
- 283
- 1
- 4
- 8
8
votes
4 answers
Outbound proxy which whitelists by server certificate?
Short version:
Are you aware of any proxy or firewall device which will permit outbound SSL connections to hosts with approved* SSL certificates only?
Long version:
Consider the following scenario.
I have a server farm which is protected from the…
gowenfawr
- 71,975
- 17
- 161
- 198
7
votes
1 answer
Is it safe to allow CSS filter: url(data:
We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn't allow any executable content. All the CSS is put through a whitelist parser that…
Mikko Rantalainen
- 513
- 2
- 11
6
votes
5 answers
Blacklisting vs. whitelisting characters to prevent XSS?
I've been reading about XSS prevention on OWASP and other security channels. They all say that I should use ESAPI or a similar library and do input filtering through a whitelist approach.
However, I use a framework (Webobjects) which encodes by…
Novice User
- 2,088
- 7
- 26
- 38
5
votes
2 answers
How practicable is application whitelisting
I understand that application whitelisting is better and more accurate than black listing. However, my question is, if you whitelist a directory, won't the malware also be able execute in that directory? So what use is application whitelisting in…
Pang Ser Lark
- 1,929
- 2
- 16
- 26
5
votes
1 answer
Why should class names be whitelisted?
I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.
The component by default requires every permitted class name to explicitly listed, but also has a checkbox to…
Free Radical
- 734
- 5
- 14
5
votes
2 answers
Is SSH public key authentication sufficient for protecting a server if IP Whitelisting is disabled?
I'm currently working for a startup company who maintains a server on AWS. Currently, our server is set up so that in order to access it via SSH, you need to be on a white listed IP (set up in AWS) and have a valid RSA key to connect.
However, the…
Scott F
- 51
- 2
4
votes
2 answers
Is IP whitelist sufficient to protect a server?
I am currently using a server 1 managing incoming traffic from users and a server 2 managing database requests from server 2. Both servers are accesible via Internet. Would IP whitelisting be a sufficient measure of protection to prevent any traffic…
Andrei Kucharavy
- 141
- 1
- 5
4
votes
3 answers
Lua loadstring, whitelisting against injection
I need to take input from the user of a simple bit of math, they want to solve.
Rather than parse there input myself, I want to just use the lua, loadstring function to load their input and evaluate it.
But I don't want to let them execute abaritary…
Frames Catherine White
- 289
- 2
- 11
4
votes
1 answer
How do I setup SELinux to act a as a true whitelisting solution?
I am working on an appliance device running Linux. I would like to utilize the work done so far with the targeted policy in SELinux space. Since I own everything that should be installed and running on this system I will know exactly what…
IguyKing
- 41
- 1
- 3
4
votes
2 answers
Is there a difference in security between an IP address white list and a domain white list with TLS?
It seems to me that an IP address white list relies on easily spoofed information, while a domain white list, if it forces TLS, at least, relies on the validity of the certificate systems.
I may be framing this question incorrectly, or comparing…
Nathan Basanese
- 640
- 1
- 9
- 20
3
votes
1 answer
Is it safe to whitelist CDN domains?
I am trying to whitelist URLs for my PC but I want to eventually roll out the rules to my small company's firewall.
But I'm having trouble with CDNs since a page may load content from many distinct URLs.
Do CDNs do any content filter to allow me to…
JuanKB1024
- 133
- 1
- 3