Dappy browser, cookies and CSRF attacks

by Raphaël

Dappy’s goal is to build an ultra-trustworthy name system and to expand the security features of current browsers in order to allow for critical industries (fintech, defi, energy, banking, NGOs etc.) to safely and easily distribute public web applications and services. In this article we focus on one of the most well-known web attack on web browsers.

Cookies and web browsers today

Cookies on regular web browsers are stored in a per site fashion. A tab a.com interacting with b.com and c.com may end up storing cookies on the user’s browser. And later, the user browsing other websites, without knowing may communicate those informations to the corresponding web servers on each request.

This feature has two negative impacts, the first one is the ease with which web services can track users: just store a cookie with any data in it, and then every interaction with your server will include this cookie that identifies the user and probably stores personal informations.

The second negative impact is an open door to Cross-Site Request Forgery attacks or XSRF. CSRF attacks rely on a simple operation: impersonate someone by sending a request to a server and make sure that the cookies are included. If the sameSite property has not been set properly for example, or if some malicious javascript gains access to the execution context.

Dappy browser’s shift

Dappy resolves this issue with a simple shift: isolation of cookies. Cookies in dappy have two levels of indexing instead of one, the first level is the domain currently browsed (the tab), the second level is the web server that wishes to store a cookie. The consequence is simple, if you are visiting mysite, all the cookies stored by any web server during this session will never be accessible outside of the mysite tab, even if some requests in other tabs (ex: anothersite) target the same web servers.

We believe that cookies are very handy and benefit the web experience as a whole, but the cross-domain availability of cookies, for critical web services, is less of a benefit and more of a pain and an attack vector. Almost every website that uses cookies for session identification does not need cross-site cookies. Cross-Site attacks become almost impossible in dappy, even if web servers forgot to set the sameSite and secure attributes of the cookies, or at least the attack surface is reduced by 95%.

Dappy is half way between embracing web standards, and shifting away from them. Our goal is to only keep the best, and drop the features that make web services more vulnerable. This article focuses on cookies, dappy also embraces another philosophy for its name system, and Content-Security-Policy at the name system level.

We provide free assistance for companies that wish to try dappy, you can reach out to us by email hello[at]dappy.tech or through the dappy.tech/contact form.