The problem with whitelists
A Computerworld article today referred to a report published by the National Consumers League in Washington DC, proposing ‘A Call to Action’ for fighting phishing. Although I haven’t fully reviewed the report, the text that popped out at me was a recommendation to use ‘whiltelists’ to stop phishing attacks.
A whitelist is simple a list of places that are good and safe to go to. Ideally you would add the website address of all of the banks and financial institutions to the list, and all of the legitimate online vendors. Then anyone not on this list would be considered, at best as unknown, and at worst blocked by default.
The problem with whitelists is in their management. How does a vendor get on this list? Who manages the list? What happens if a legitimate vendor changes the web address of their payment page?
Quite quickly this becomes an operational nightmare, particularly if considered on a global scale. I can see this being beneficial if there is a way to create and manage personal whitelists, where the customer identifies a site as being good and trusted. Unfortunately this can then become the next target of the social engineers, by tricking customers into adding their fake sites to private whitelists.
Glancing at the rest of the paper it looks like a great resource, but the 6th recommendation for action ‘ISP’s and domain name owners can cooperate on whitelists’ sounds simple but will be operationally infeasible.
The phishing battle continues…
