Published on April 4th, 2024
Key Points
- DBSC aims to disrupt the cookie theft industry by binding authentication sessions to the device.
- This will make stolen cookies worthless to attackers.
- DBSC uses cryptography to tie together the sessions to the device.
- A public/private key pair is created by the browser on the device.
- The private key is stored securely using Trusted Platform Modules (TPMs).
- The server can verify proof-of-possession of the private key to ensure the session is active on the same device.
- DBSC will be initially rolled out to roughly half of Chrome’s desktop users based on the hardware capabilities of their machines.
Google has announced a groundbreaking feature in Chrome called Device Bound Session Credentials (DBSC), designed to protect users against session cookie theft by malware.
The Prototype: A Step Towards An Open Web Standard
In a pilot phase, DBSC is being tested with select Google Account users running Chrome Beta. The aim is to make this feature an open web standard, as stated by Google’s Chromium team.
Disrupting Cookie Theft Industry
The primary goal of DBSC is to bind authentication sessions to the device, rendering stolen cookies useless. According to Google, this move aims to significantly reduce the success rate of cookie theft malware.
The Need For Enhanced Security Measures
The backdrop of this development is the rise of information-stealing malware that can bypass multi-factor authentication (MFA) protections, allowing threat actors unauthorized access to online accounts.
Recent Malware Attacks And Google’s Response
Google’s Threat Analysis Group (TAG) reported instances where malware stole cookies to hijack accounts for nefarious purposes, such as cryptocurrency scams. In response, Google continuously updates its defenses against such threats.
DBSC: A Cryptographic Approach
DBSC introduces a cryptographic solution tying sessions to the device, making it harder for adversaries to exploit stolen cookies and compromise accounts.
The Technical Details Of DBSC
The feature is offered through an API, allowing a server to associate a session with a public key created by the browser. This key pair is stored locally on the device using Trusted Platform Modules (TPMs).
Key Features Of DBSC API
- Each session has a separate key, preventing detection of keys from the same device.
- The API ensures periodic proofs of possession of keys throughout the session to maintain security.
Implementation And Future Plans
Support for DBSC will initially roll out to about half of Chrome’s desktop users based on hardware capabilities. The feature aligns with Google’s plans to phase out third-party cookies by the end of the year via the Privacy Sandbox initiative.
Collaboration And Origin Trials
Google is collaborating with server providers, identity providers (IdPs), and browser vendors like Microsoft Edge and Okta on DBSC. Origin trials for all supported websites are scheduled to begin by the end of the year.
Google Chrome is testing a new feature called Device Bound Session Credentials (DBSC) to protect users against session cookie theft by malware.