Dappy browser, cookies and CSRF attacks
Dappy’s goal is to build an ultra-trustworthy name system and to expand the security features of current browsers in order to allow for critical industries (fintech, defi, energy, banking, NGOs etc.) to safely and easily distribute public web applications and services. In this article we focus on one of the most well-known web attack on web browsers.
Cookies and web browsers today
Cookies on regular web browsers are stored in a per site fashion. A tab a.com interacting with b.com and c.com may end up storing cookies on the user’s browser. And later, the user browsing other websites, without knowing may communicate those informations to the corresponding web servers on each request.
This feature has two negative impacts, the first one is the ease with which web services can track users: just store a cookie with any data in it, and then every interaction with your server will include this cookie that identifies the user and probably stores personal informations.
Dappy browser’s shift
Dappy resolves this issue with a simple shift: isolation of cookies. Cookies in dappy have two levels of indexing instead of one, the first level is the domain currently browsed (the tab), the second level is the web server that wishes to store a cookie. The consequence is simple, if you are visiting mysite, all the cookies stored by any web server during this session will never be accessible outside of the mysite tab, even if some requests in other tabs (ex: anothersite) target the same web servers.
Dappy is half way between embracing web standards, and shifting away from them. Our goal is to only keep the best, and drop the features that make web services more vulnerable. This article focuses on cookies, dappy also embraces another philosophy for its name system, and Content-Security-Policy at the name system level.
We provide free assistance for companies that wish to try dappy, you can reach out to us by email hello[at]dappy.tech or through the dappy.tech/contact form.