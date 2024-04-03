



Google believes that cookie theft is a problem for users, and is trying to address the issue with a mechanism that ties authentication data to a specific device, rendering stolen cookies useless.

Cookies are still widely used by websites today to cause your browser to store information about your session in small files (cookies) on your local computer, to keep you signed in, and to save your site preferences.

However, malware can target cookies by simply copying them from a user's hard drive and sending them back to a remote attacker, who then uses the session information in the cookie to access the associated website. User data may be accessed from.

Google said it is currently working on a new web feature called Device Bound Session Credentials (DBSC) to combat this threat. The idea behind this is to use a cryptographic key to tie the session to the user's specific computer or device.

“By binding the authentication session to the device, DBSC aims to disrupt the cookie theft industry by rendering stealing cookies of no value. This will significantly reduce the success rate of cookie theft malware. We think so,” said Kristian Monsen of Chrome Counter. Exploit Team, writing on his Chromium blog at Google.

This is expected to work as follows. When a browser starts a new session, it creates a new public/private key pair locally on the device and forces the operating system to securely store the private key. Google says the Chrome browser uses features such as the Trusted Platform Module (TPM) to do this.

The DBSC API allows a web server to associate a generated public key with a session, and the session can be periodically refreshed with cryptographic proof that it is still bound to the original device. This is done out of band from her normal web traffic and only when the user is actively using the session.

According to Google, each session is backed by a unique key, and DBSC protects privacy by not allowing sites to associate keys from different sessions opened on the same device. The only information sent to the server is the per-session public key, which the server uses to prove proof of possession of the key.

Google expects the Chrome browser to initially support DBSC for “about half of desktop users,” based on the current hardware capabilities of machines out there. For example, not all computers have his TPM, but it's more common because Microsoft requires it to run Windows 11 and there are software-based alternatives. It may become.

“You might consider supporting software keys for all users, regardless of hardware capabilities. This would allow DBSC to tell the server to differentiate between users based on hardware capabilities or device state. We can prevent that from happening,” Momsen said.

This is all very well, but if only Google implements this technology, DBSC is unlikely to become widespread. Monsen said he's also seen interest from other companies in the industry, including his identity provider and Microsoft's own Edge browser. He added that Google is also openly developing the project on GitHub with the goal of becoming an open web standard.

If you're interested, the project's GitHub README has instructions.

Google said DBSC will be “fully aligned” with phasing out third-party cookies in Chrome, and will now use the technology to protect some Google Account users running Chrome Beta. He said he was conducting an experiment.

“This is an early effort to evaluate the reliability, feasibility, and latency of the protocol at complex sites, while providing meaningful protection for users,” Monsen said.

“Once fully rolled out, consumers and business users will see the security of their Google accounts automatically upgraded internally, and Google Workspace and Google Cloud customers will be able to take advantage of this technology. We're also working to provide you with another layer of account security.”

If you're a fresh reader, you may remember that Intel once tried to tout the unique processor serial number (PSN) built into each CPU by claiming similar security benefits. However, an argument broke out over the possibility that the serial number was fraudulent, and they were forced to cancel. Used to track users online.

