Whitelist
What is a whitelist?
A whitelist is a list of pre-approved entities or resources that are deemed safe or acceptable. A whitelist of entities can indicate who has access to a system or is safe to exchange communication with. A whitelist of resources may contain websites, software, or applications that have been identified as safe to use. Use of a whitelist enhances online security by preventing unwanted interaction with hackers, phishing, or malware-related activities.
Other terms for whitelist include allowlist, acceptlist, permitted list, approved list, and safelist. When using whitelists, the default action is to deny access unless the item or person in question is on the list. While whitelists are used by both individuals and organizations, the purpose of a whitelist is generally the same for all users—to protect a device or data from outside threats. A whitelist can also improve one’s online experience by blocking unwanted material like spam email.
Note: The terms “whitelist” and “blacklist” can carry negative connotations, and in some circles have fallen out of favor. We’ve chosen to use the terms here strictly for the sake of familiarity.
What’s in a whitelist?
Whitelists are created for different categories and uses. Individuals can use whitelists to keep their devices safe from malware, and reduce the amount of time spent handling unwanted material like spam emails. Organizations use whitelists for these same benefits, as well as improving network security. Whitelists are often unique to the user’s needs, and so are created by the user.
Email whitelist
An email whitelist contains email addresses that are designated as being from safe origins. Whitelisted senders can be indicated on an individual basis (using the complete email address) or by domain (for example, “accept any email from @example.com”). One of the most popular uses for an email whitelist—what some email apps call a Safe Senders list—is to ensure a particular sender doesn’t accidentally get flagged (and thus removed) by a junk or spam filter. When you whitelist a sender, the email software will override any defaults that may have sent those messages to a junk folder, and instead direct them to your inbox, or other folder you’ve designated.
The idea of email whitelists can also be used to manage inboxes beyond the junk folder. You can build various lists of email addresses and create rules to direct emails to different folders based on these lists. For example, you may create a rule that directs all emails from @example.com into a separate folder.
Email whitelisting won’t necessarily put all non-whitelisted messages into the junk folder—phishing emails, for example, can still show up in your inbox even with a whitelist in place. But when a phishing email that looks work-related ends up in your general inbox and not your @example.com folder, it stands out as suspicious.
Website whitelist
A website whitelist is a list of known safe websites, using the URL as the identifier. The criteria for determining a safe website depends on the user, but a general goal is to steer online activity away from malicious sites that may contain malware or other security threats. Businesses often use website whitelists to protect their hardware and data from accidental malware downloads. When a website whitelist is deployed, a user within the organization can only access websites that appear on the whitelist.
An individual can also create and use a website whitelist with tools like browser extensions. They may do this to protect themselves against malware, or they may do this to control the type of content another person can access, like a parent might do for a child.
Application whitelist
Similar to website whitelists, application whitelisting is a tool used by businesses to protect their hardware and data. By limiting the applications a user can install on a company-owned device, the business reduces the chance of their whole system becoming infected with malware or ransomware. Application whitelists aren’t limited to software packages like Microsoft Office or Zoom—they also include smaller-scale applications like browser extensions, add-ons, and macros.
Building and maintaining an application whitelist can be a big job. Organizations may opt to subscribe to a third-party service that provides a regularly updated list, often paired with antivirus protection and other cybersecurity services.
IP whitelist
An IP address whitelist provides security by controlling who can get remote access to a system. Access is only provided to individuals requesting access from an approved IP address. Someone trying to log in from an unapproved IP address is blocked. An IP whitelist provides security against hackers, especially ransomware attacks that require network access to the target’s data.
IP whitelisting can help address the security issues that arise from remote work. If an employee works regularly from the same location (like a shared workspace), and this location has a static IP address, then an IP whitelist can work well. However, if an employee often works from different locations (e.g. airports or conferences), whitelisting IP addresses can be much more challenging, and become a strain on IT resources.
Another challenge with IP address whitelists is that ISPs will often assign residences a dynamic rather than a static IP. While in practice, most dynamic IP addresses may stay the same over time, they do occasionally change. If they change, the new IP address would likely not be on the whitelist, and the user’s access would be disrupted.
Because of these hurdles, IP whitelists can quickly become administratively burdensome, particularly for large organizations with many remote users. Introducing a remote-access VPN into the connection process removes the variable IP address issues of changing locations or dynamic IP address assignments. Instead of having to track numerous individual IP addresses, access can be granted to a user based on the VPN’s static IP address.
Game server whitelist
Creating a game server whitelist is a way to control the players who can join an online multiplayer game. Some multiplayer games allow an individual or group to host the game on their own server, whether this means on a server they physically own or one they rent from a game server provider. Once the game is set up on the server, the individual or group may decide to limit who can play by creating a whitelist of user names.
The pros and cons of whitelists vs. blacklists
While a whitelist is a list of known safe entities or resources, a blacklist (also called denylist or blocklist) is a list of known unsafe ones. When it comes to things like websites and applications, it’s not possible to categorize every object as safe or unsafe. This leaves the vast majority of content somewhere in between. Whitelists are more restrictive—they block this gray-area content and anything on the blacklist. By contrast blacklists are more lenient: they allow through anything that’s not explicitly on the list of known unsafe items.
The relative volume of content in each of the white, black, and gray areas will factor into an organization’s decision of whether to use a whitelist or a blacklist. In general, a whitelist is used when the number of allowed options is smaller than the number of disallowed options, and the intended fallback option is to fail safely. By contrast, a blacklist is generally used when the number of available options is significantly greater than the number of disallowed options, and the intended fallback option is to fail permissively.
The content of blacklists is fairly universal—a compiled list of known unsafe websites would be appropriate for many parties (both businesses and individuals). But whitelists are more tailored to individual needs. Whitelists are usually built for a specific purpose or user. For example, a website whitelist for a business wouldn’t necessarily work for an individual’s needs because an individual might want access to commerce or social media that a business may not want to whitelist.
Blacklists need constant maintenance—new threats appear all the time. Spam filters are based on blacklists, as are malware and antivirus scans. Whitelists can require a similar effort to maintain, depending on how much change is experienced. For example, ongoing turnover of employees working from home means an IP whitelist needs constant updates.
Occasionally, a blacklist may contain an item that’s actually safe. This happens often with email spam blacklists, and is a particular concern for email marketers. While mail service providers (like Gmail or Outlook) ultimately decide whether or not to mark a blacklisted item as spam, they may base their decisions on blacklists compiled by vendors that specialize in email blacklists. If someone discovers their email address, domain, or IP address has been blacklisted, they can appeal to the party that generates the particular blacklist, whether it’s the mail service provider or the blacklist vendors. Each blacklist creator has their own process for appealing.
Another way email marketers try to defend against spam blacklists is to appeal to the recipients by encouraging them to whitelist their email or domain (e.g. add it to a Safe Senders list).
Do whitelists improve security?
Whitelists can be a great asset for keeping hardware and data secure. They can restrict who gets access to a system, and keep malware from being installed, or create safer online spaces. While they can introduce complexity for IT administrators in business settings, or sometimes mistakenly flag legitimate resources as unsafe, in general whitelists can improve both personal and workplace security.
