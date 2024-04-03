



Google is working on a new security feature in Chrome called Device Bound Session Credentials (DBSC) that aims to prevent attackers from using stolen session cookies to access user accounts.

Session (or authentication) cookies are stored by your browser when you log in to a web resource. Once in possession, an attacker can launch a pass-the-cookie attack by inserting the stolen access token into a new web session and impersonating the original user without authenticating.

Disrupting the cookie theft ecosystem

For some time now, attackers have been stealing session cookies, usually using malware, so they can bypass multi-factor authentication.

DBSC is intended to bind authentication sessions to devices, making stolen cookies worthless unless an attacker can operate locally on the device. But if forced to do so, their presence is more likely to be detected, said Kristian Monsen, a senior software engineer on Google's Chrome Counter Abuse team.

“At a high level, the DBSC API allows a server to start a new session with a specific browser on a device. When the browser starts a new session, a new public/private key pair is created locally on the device. It is created and uses the operating system to securely store private keys in a way that is difficult to export,” he explained.

“Chrome uses features such as Trusted Platform Module (TPM) to protect keys, which is becoming more common and required in Windows 11, and is also considering support for software isolation solutions. I am.”

Each session is associated with a public key. The server can check if the user/device accessing the resource has the private key, and will check throughout the lifetime of the session to ensure that the session is on the same device.

“To make this achievable from a latency perspective and to help migrate existing cookie-based solutions, DBSC uses these keys to create short-lived It maintains cookie freshness. This is done out of band of normal web traffic, reducing the changes required to traditional websites and apps,” added Momsen.

No online tracking

Monsen asserts that DBSC does not allow sites to associate keys from different sessions on the same device, so these keys cannot be used to track users online. Additionally, users can delete keys at any time if they wish.

“DBSC will fully support the phaseout of third-party cookies in Chrome. In the third-party context, DBSC will continue to support the phasing out of third-party cookies in Chrome. have the same availability and/or segmentation, which ensures that DBSC does not become a new tracking vector after third-party cookies are phased out, while also allowing such cookies to be fully protected in the meantime. That's why,” he said.

“If a user opts out of cookies, third-party cookies, or cookies for a particular site completely, DBSC will also be disabled in these scenarios.”

DBSC: An open web standard?

The feature is still in development and , limited to a limited number of users running Chrome Beta, and Google's plan is to have it available for developers to try by the end of the year.

Google also expects DBSC to become an open web standard.

“Many server providers, identity providers (IdPs) like Okta, and browsers like Microsoft Edge are interested in DBSC because they want to protect their users from cookie theft. We are working with all stakeholders to ensure that we come up with standards that can be applied to different types of websites while protecting them,” Momsen said.

