The Right and Wrong Way to Implement Blacklisting

May. 14, 2023 [technology] [privacy-security]

Blacklisting tools need to resist the temptation to centralize their blacklists. Sometimes it is not done intentionally, but that makes it no less harmful to user privacy. Barring instances where it is infeasible to distribute such a list due to size, referenceing a list of blocked resources should be possible entirely within the end user’s device.

As example of things done the wrong way see blacklisting DNS providers. I didn’t even know this was a thing until I stumbled across it while evaluating some blockers. Seriously, why are people outsourcing this to upstream resolvers? The local hosts file is the ideal place for this functionality. For a better way, one should look to implementations such as uBlock Origin’s blocklists, Clam AV’s signature databases or any other tools which sagely supply lists of known bad matches in their entirety to the client for direct use.

Some might argue that it is more efficient on network resources for clients to request only what they need to lookup or that it aids security since users could end up keeping stale copies locally. I do not view these things being so important as to justify making the easy profiling of users possible. The reason that many people find themselves even bothering with blacklisting in the first place is because they do not wish to be tracked and profiled.