I’m not a big fan of the whitelist and blacklist terminology. The language is potentially harmful, but besides the racial implications, it’s also unclear. In this blog post, I’ll go over the traditional meaning of whitelist vs blacklist, and you’ll see why I say the alternative, dare I say progressive, terminology is also much more clear.
Origins of whitelist vs blacklist
The terminology has its origins in physical security, predating modern computer security by decades. A whitelist was a group of people an organization allowed to join or affiliate. A blacklist was a group of people the organization specifically didn’t allow, or banned.
Computer security adopted the same concept. Firewalls, web proxies, and endpoint security tools frequently use the terms. You use it to provide those tools a list of IP addresses, web URLs, and applications that are either allowed or not allowed. You can make it global. Or you can limit it to specific instances.
Why the terminology is unclear
I know that the whitelist versus blacklist terminology is unclear because I’ve had to explain it a number of times. And the first time I heard it, the person had to explain it to me. The first time I heard it was in 1989. I was a member of a local club, and there were some people who shared the same interests who weren’t in the organization. I asked someone else my age about it, and he said, oh yeah, they’re on the blacklist.
When I asked what that meant he told me one they caught one of them pirating software, and caught the other one phone phreaking. So they couldn’t be part of the organization or come to the events or meetings anymore.
The alternative terminology is allow list and deny list, or block list. I like the latter because the words sound a lot alike and that can help make it easier to remember.
And whether you agree with me or not about whether the terminology is problematic, you can use that to remember what the two phrases mean. Just remember that Dave, that uptight progressive, doesn’t like the phrase whitelist versus blacklist and wants you to use allow list versus block list instead.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Allow/deny works. Care to jump into the master/slave discussion ?? Leader/follower doesn’t work.
For hard drives, I’ve generally found if I say primary/secondary or first drive/second drive, people understand what I mean. I was always uncomfortable with the terminology on IDE drives and I remember trying to write around it even back in 1999 when I was writing my O’Reilly book. My early drafts contained phrases like “If you have to have drives share an IDE channel, try not to put two hard drives on the same channel. Instead, have the hard drives share a channel with a CD-ROM drive.” Whether that wording was clever or ambiguous depends on who’s reading it. I think there were a few places in the published version where the conventional terminology ended up in the text but I really did want to avoid it altogether.
Allow/deny works. Care to jump into the master/slave discussion ?? Leader/follower doesn’t work.