The Goal

Whitetrash provides a user-friendly and sysadmin-friendly proxy that makes it significantly harder for malware to use HTTP and SSL for:

Current Status

The last commit made on whitetrash was in October 2010, and I haven't found any spare time to work on it since then. Since I no longer run whitetrash or maintain it, I'm now (May 2014) declaring the project abandoned. The code and website will remain available as is. I have received some email from people interested in forking the project, if that happens I'll post a link here.

Features

The operation of whitetrash is best demonstrated by the flash demo and screenshots.

Whitetrash features:

Whitetrash implements a whitelisted web proxy as a Squid plugin.

What Is Whitelisting?

Generally whitelisting is defined as having a default deny policy, and only allowing specific types of objects/packets/requests/strings/accounts - those that are known to be 'good'. Blacklisting is the opposite of this process where all types of objects/packets/requests/strings/accounts etc. are allowed by default, and only specific 'bad' entities on the blacklist are denied.

Whitetrash whitelists web traffic at the domain level, and is a powerful technique to eliminate (or at least make difficult) communications for a lot of malware.

How Does That Help?

Whitelisting is a technique that makes it difficult for malware to use HTTP and SSL.

Consider the following common scenario: malware is delivered to the user in the form of a word processor document attached to an email. The user opens the document, and the malware executes. The malware's next actions are usually to use HTTP to download tools, beacon back to the attacker, or exfiltrate data. With a whitelist in place, all of these actions will be blocked because the attacker's domain is not in the whitelist.

The whitelist also provides good protection against browser exploits, which often employ cross-site scripting or other techniques to present a legitimate looking web-page while downloading content from the attacker's website. The ghost in the browser paper told us malware is almost always downloaded from a different domain to the one visited by the user. With a whitelist in place, the download from the attacker's domain will be blocked.

A sophisticated attacker will often use different domains for exploitation, command/control, and data exfiltration. A whitelist will block all of these additional domains.

Next Release

Work on the next release is underway. On the roadmap:

More Information

See the FAQ or send me an email.

Get The Code

svn co https://whitetrash.svn.sourceforge.net/svnroot/whitetrash/trunk whitetrash