Cookie theft malware steals authentication cookies to gain access to web accounts, and the Google Chrome team is proposing Device Bound Session Credentials (DBSC) to counter it.
Cookies – small files created by sites you visit – are fundamental to the modern web. They make your online experience easier by saving browsing information, so that sites can do things like keep you signed in and remember your site preferences. Due to their powerful utility, cookies are also a lucrative target for attackers.
As the exfiltration happens after login, two-factor authentication and other security measures are bypassed, while stolen cookies continue to work after antivirus software removes the local malware.
Google is working Device Bound Session Credentials to counter cookie theft by “binding authentication sessions to the device” with a “public/private key pair locally on the device.” The private key is stored with the (desktop) OS using Trusted Platform Modules or software-based approaches, thus making it harder to export.
The API allows a server to associate a session with this public key, as a replacement or an augmentation to existing cookies, and verify proof-of-possession of the private key throughout the session lifetime.
On the user privacy front, “each session is backed by a unique key and DBSC does not enable sites to correlate keys from different sessions on the same device.” Google is working to make sure “DBSC does not become a new tracking vector once third-party cookies are phased out.”
DBSC doesn’t leak any meaningful information about the device beyond the fact that the browser thinks it can offer some type of secure storage. The only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.
Google wants to make DBSC an open web standard and you can follow work at github.com/WICG/dbsc. Microsoft Edge, Okta, and other identity providers have expressed interest about the standard. Google is aiming for origin trials by the end of 2024.
It’s already being tested in Chrome Beta for some Google Accounts: “This is an early initiative to gauge the reliability, feasibility, and the latency of the protocol on a complex site, while also providing meaningful protection to our users. When it’s deployed fully, consumers and enterprise users will get upgraded security for their Google accounts under the hood automatically.”
We are also working to enable this technology for our Google Workspace and Google Cloud customers to provide another layer of account security.
FTC: We use income earning auto affiliate links. More.
Comments