Google introduced a new Chrome security feature called ‘Device Bound Session Credentials’ (DBSC). This feature links cookies to a specific device, preventing hackers from stealing and using them to take over users’ accounts.
Understanding Cookies and Cookie Theft Malware
Cookies are small files that websites use to store browsing information, making online experiences smoother. However, they’re also targeted by hackers for unauthorized access to accounts.
Hackers often use malware to steal cookies, gaining access to users’ accounts. Malware-as-a-Service operators spread such malware through social engineering, convincing users to install it.
Once installed, the malware extracts authentication cookies, allowing attackers to sell compromised accounts.
Introducing Device Bound Session Credentials (DBSC)
To tackle this issue, Google is developing a new web capability known as Device Bound Session Credentials (DBSC).
By associating authentication sessions with the device, DBSC aims to disrupt the cookie theft industry, rendering stolen cookies worthless.
This shift forces attackers to operate locally on the device, facilitating more effective detection and cleanup efforts. The key features include:
Technical Solution: DBSC
At its core, the DBSC API allows servers to initiate sessions with specific browsers on devices. Each session generates a unique public/private key pair stored securely on the device, making it challenging for attackers to exploit.
This solution utilizes Trusted Platform Modules (TPMs) for key protection and maintains the freshness of short-lived cookies through a dedicated DBSC-defined endpoint.
- Preserving User Privacy: DBSC safeguards user privacy by preventing sites from correlating keys from different sessions on the same device. Users can delete keys at any time, and DBSC doesn’t disclose device information beyond its ability to offer secure storage.
- Improving User Protection: Google is experimenting with DBSC to protect Chrome Beta users. Once fully deployed, DBSC will enhance security for Google accounts automatically, benefiting both consumers and enterprise users.
Testing DBSC
While still in the prototype phase, DBSC can be tested by enabling the “enable-bound-session-credentials” flag in Chromium-based browsers.
Interest Beyond Google
Several server providers, identity providers (IdPs), and browsers have shown interest in DBSC, highlighting the broader industry support for enhanced security measures.
Google is actively engaging with stakeholders to develop a standard that caters to various website types while preserving user privacy.
Availability
Development updates and announcements regarding DBSC are available on GitHub.
Google aims to facilitate origin trials for interested websites by the end of 2024 and invites participation and feedback from all parties interested in bolstering online security.