Environmental detection and browser verification

When a new user session is initiated, RCSI detects and verifies the authenticity of the environment.

  1. The user’s browser is subjected to several dozen tests, verifying the features known to be supported by that browser. This includes hidden canvases, video and audio in various formats, WebRTC and other advanced networking protocols, screen resolution, and more.

  2. The browser is subjected to an invisible “attack”: subtle errors are injected into the environment, and the browser engine’s reactions are captured and analyzed. Reblaze verifies that the exceptions and error messages are those which should be generated, if the browser is what it claims to be. (It is very difficult for threat actors to spoof this behavior using headless browsers and emulators, since there is an infinite number of possible errors to which any browser can be subjected, and threat actors need to replicate the actual reactions for each possible input.)

  3. The above process only takes milliseconds, and it is completely transparent to the end user.

  4. Once a browser has passed these tests, Reblaze signs it cryptographically. This signature accompanies all subsequent activity.

This process applies to browser-based applications.

It does not apply to mobile/native applications, because there is no browser to detect. For these applications, the environment is verified via the Client authentication process instead.

Last updated