Why dappy ?

Dappy is a name system with direct encryption. DNS and the certificate authorities systems only allow indirect TLS identities, in those settings web portals can only achieve limited security and privacy because they rely many identity providers who each constitue a vector of control or attack.

Dappy allows direct management of identities, and thus removes entire families of attack and allow more private, stable and secure web services, B2B portals and SaaS to exist on the public web.

Critical B2B portals handling shipping of container

Cybersecurity context

Accross many industries, cybersecurity and awareness is now more than never a strategic topic, attacks become more and more elaborate, and many businesses are disrupted at unprecedented levels. In parallel digitization, lean user experience, and expansion and multiplication of digital services is a goal and requirement for many in order to stay competitive.

Public web is the go-to platform for quickly deploying a web portal, and allow third party customers, suppliers or partners to read or download some data, trigger some business operations or communicate key information.

SaaS, web portals and cyberattacks : some numbers

Public-facing web apps are now the most widely used attack vector to penetrate an organization’s perimeter. Attacks that start in web apps increased from 31.5% in 2020 to 53.6% in 2021 according to Kaspersky Incident Response Analytics Report, 2022.

Global DNS Threat Report bu Efficient IP (2021) also reports $950k is average cost of a DNS attack (downtime and/or brand damage)

Also, The cost of phishing went from USD3,8M in 2015 to USD14,8M in 2021 according to Ponemon institute, The 2021 Cost of Phishing Study.

Ransomware, TLS interception (man-in-the-middle), phishing, DNS attacks through registries or registrars. So many things can happen that a company will often prioritize protection on the biggest attack surfaces, and leave some areas less protected.

In order to understand how millions of businesses ended up in this situation, one must consider that the public web has not been designed for critical web portals, or high value B2B usecases, but instead in a very open and permissive fashion. The public web is great for social, blogging, retail e-commerce but not a great place to thrive for many other applications. Not all websites deal with the same level of criticity, process the same sensible data or must obey the same compliance rules.

DNS, Certificate Authorities HTTPS and browsers

The web works broadly with the concept of unique trusted authorities : Verisign secures the .com domains, AFNIC secures .fr domains, above registries thousands of registrar exist, with hundreds of employees. Each segment of the DNS constitutes an attack vector that can (and have in the past) condemn a given business operations. It's even worse on the HTTPS /Certificate authority side, considering that on Windows, 400+ root certificates are installed. Any one of these 400 organizations could potentially conduct man-in-the-middle interceptions, without anyone noticing. The identities on the public web are indirect identities, they are structuraly dependent on many providers that must coordinate one with another. That is why security and criticity are limited. A security engineer concerned about the security of its web applications will also notice that regular browsers allow 100.000+ browser extensions to be installed in one click, adding again another level of unpredictability.

Are we sure that this is the right setup for web portals that carry very critical data, or millions of dollars worth of B2B operations each day ?

dappy

Critical B2B web portal handling construction sensitive data

Dappy is a name system with direct encryption. It is a public name system, HTTPS infrastructure and set of web browsers engineered for enterprise, specifically tuned for critical web portals and B2B operations. It provides military-grade security, resiliency and privacy to its users, and the service providers exposing their websites on the system. Dappy is as easy to use as a regular web browser or the DNS. In addition to this, certificate management is made easier, as there are no certificate renewals, the name system being the anchor for certificate distribution.

By switching to dappy or at least choosing a hybrid dappy+DNS distribution model, A given company (we'll name Company A) instantly provides the security benefits of DNSSEC, DNS-over-HTTPS and in-house TLS certificate installation to all it's customers or clients that need remote access to one or many web portals.

How does it work ?

A critical supply chain web portal secured by co-resolution

Dappy is a separate naming system from DNS, with a browser built specifically for mission-critical web applications. The protocol breaks with the logic of trust being put on a designated authority for a given resource, it uses the principles of distributed trust, and enforces that trust is always put into to a network of independent companies with no unique point of failure or decision, instead of a designated organization (Like a CA or DNS company).

Step 1, state sharing / blockchain

At the core of dappy, there is the dappy network, which is a (and not tokenized) network of infrastructure companies located in different countries, but sharing their state with a technology such as blockchain. The name system is coded into that blockchain, company A can just purchase a domain companya.d and freely add IP addresses and self-signed certificates to its zone (remember there are no Certificate Authorities anymore).

Step 2, co-resolution

Now that the name system has the right data, and that company A has exposed it's web resources through the dappy name system, the clients, suppliers or customers needs to discover the websites (service discovery), that's the critical part because they only know the domain name.

Dappy's service discovery is based on co-resolution to enforce that nothing goes wrong in this critical step of retrieving IP addresses or TLS encryption certificates. The browser will directly ask many members of the dappy network for the IP addresses and TLS certificates corresponding to a given resource, it will then check for the homogeneity of the responses. Only if at least 90% or even 100% of the responses are identical, will the browsers connect with the final web server. Communication is perfectly private because no single authority is capable of providing an alternative certificate.

This concludes the "Why" and "How". We'd love to hear you take on this topic and how the dappy approach resonates with your enterprise goals or challenges !