Whitelists are better than blacklists
Jun 23rd, 2008 by Micheal
While checking on extension compatibility for Firefox, I ran across a rather worrying comment on the NoScript addon page.
NoScript is an addon for Firefox that allows users to specify which sites are allowed to execute JavaScript, Flash, PDF, Silverlight, and more. This is really good idea. Prevent the execution of potentially harmful JavaScript by default. The worrying comment? Here it is:
I suddenly gave up NoScript WhiteListing in favor of YesScript’s Blacklisting. NoScript assumes all the Internets JavaScript is Not safe. It’s like Windows Vista UAC Prompts — exept on the Internet, it’s overkill.
by thenonhacker on June 7, 2008
In case you haven’t already guessed, this is a pretty poor and sadly rather common outlook. If you blacklist, the code has already executed, and by the time you realize that it was harmful, it has already caused … harm. Therefore, blacklisting sites in this manner is bad security practice and does absolutely nothing to help the user.
That’s not to say that blacklists don’t have their uses, because they certainly do, but not when it comes to JavaScript and other plugins that can execute and cause harm.