I begin to wonder how many folks finish articles before commenting.
I’m guilty of it myself sometimes: jumping straight into the comments section without really being thorough on the reading part. There are a couple of things I’d like to point out to all the folks who are Heap Big Angry at the ideas in the article.
The first is that I in no way believed that whitelists should be /mandatory/. I think that they should be something that folks have the choice of opting into or not, as they see fit.
The second is that in some situations whitelists really do make sense. A great example being business internet usage. Businesses have very little reason to communicate with a lot of the dangerous, offensive or even borderline offensive sites out there. A global whitelist or five, run by companies who take the time to hunt down and verify the businesses behind the websites would go a long way towards separating the signal from the noise.
The third thing I’d like to bring to everyone’s attention is that this is not a suggestion as “the ultimate solution,” but rather as a replacement for the blacklists of domains currently used as part of any proper defense in depth. Yes, whitelisted sites can be compromised, (see Apple,) but that is where the other elements of your defense in depth are (hopefully) going to save you.
The goal is to minimize your exposure to compromised sites by only dealing with websites that meet whatever arbitrary standard defines the whitelist to which you are subscribing. In my perfect world, there would be several whitelist providers, all with different standards in order to meet the differing needs of the corporations and individuals who would like to subscribe to them.
Lastly, I’d like to talk about the censorship bit. Properly run, with very stringent standards set outright at the creation of the whitelist, and rigidly adhered to, it should be possible for anyone who feels they have been improperly left off of a whitelist to add themselves. If the whitelist explicitly states that they will not be adding porn sites to the list, then I am sure Bob’s BDSM website isn’t going to get on the list. That new toilet paper cleaning company trying to make a name for itself probably could get verified and added to the list.
Despite the anger, the beginnings of this process already exist. There are initiatives out there to certify websites, from various categories of /very/ thoroughly checked SSL certificates to “site seals” provided by various organizations who do the hard work of verifying the legal existence of the individuals or corporations behind the registration and operation of a domain.
Where this falls down is that firstly, no big push has been made to increase the number of websites participating in these ventures; very few sites are part of such programmers today.
Secondly, there is no way (currently) through either a browser plugin or firewall addition to limit yourself to viewing only websites which have passed muster at one of these verification organizations.
What I would like to see corporately is exactly that: if your website has passed muster with selected “site seal” checking organizations, we’ll let our users view it. If not, we’ll dump the user on a landing page that says “the website you want to view has not been certified and is potentially malicious.” It would then allow the user to click through, but would by default disable all scripts etc. from that domain.
Easy, pain-free browsing whereby we generally “trust” certified websites, and many warnings and default total distrust of websites that haven’t been checked out. Think of it sort of like noscript meets web of trust meets malwaredomains.com implemented as an opt-in right from the corporate firewall.
I am sure that looks like censorship to some, but don’t forget that censorship is something forced on people. What I am suggesting is not
Biting the hand that feeds IT
