Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Chrome to Fight Cookie Theft With Device Bound Session Credentials 

Google is bringing to Chrome new features to bind browser sessions to the device and protect users against cookie theft.

Chrome security updates

Google is bringing new user protection capabilities to Chrome, in the form of Device Bound Session Credentials (DBSC), new technology that binds browser authentication sessions to the device to fight cookie theft.

Developed in the open by the Web Incubator Community Group (WICG) and expected to become an open standard, DBSC relies on authentication with a private key to keep users’ sessions secure.

Small pieces of code created by visited websites and stored on devices, cookies improve users’ browsing experience, but operate as bearer-token schemes and can be abused to compromise web accounts.

Authentication cookies are created after the login and, if stolen, allow threat actors to bypass two-factor authentication and gain immediate access to the victims’ accounts.

Cookies are typically harvested using information-stealing malware that the web browsers cannot protect their users against, and, once stolen, can be used even if the malware is detected and removed.

With DBSC, the session between the server and the browser is associated with a pair of public and private keys that are stored safely on the device. Throughout the session’s lifetime, the server periodically checks for the private key, to ensure it is still on the same device.

“We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices,” Google says.

DBSC provides websites with an API to control the lifetime of such keys and the protocol to check for proof of possession. Each session has its own private key and the website should not be able to determine whether two keys are from the same device.

Advertisement. Scroll to continue reading.

“At sign-in, the API informs the browser that a session starts, which triggers the key creation. It then instructs the browser that any time a request is made while that session is active, the browser should ensure the presence of certain cookies. If these cookies are not present, DBSC will hold network requests while querying the configured endpoint for updated cookies,” DBSC’s maintainers explain.

According to Google, which is bringing DBSC for half of Chrome’s desktop users, no meaningful information about the device is leaked: “the only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”

DBSC will be available in Chrome based on the computer’s hardware capabilities – although Google may also consider support for software keys for all users – and its implementation will be aligned with the phase-out of third-party cookies.

The internet giant is also taking steps to ensure that DBSC does not become a new tracking vector when third-party cookies are eliminated, and that these cookies remain protected in the meantime. When a user opts out of cookies, DBSC will also be disabled.

Google is currently trying out a DBSC prototype on Google Accounts in Chrome Beta. When fully deployed, it will provide both consumers and enterprise users with improved account security under the hood. Origin trials for websites should become available by the end of 2024.

“We are also working to enable this technology for our Google Workspace and Google Cloud customers to provide another layer of account security,” the internet giant explains.

Related: Chrome’s Standard Safe Browsing Now Has Real-Time URL Protection

Related: Google Announces Enhanced Fraud Protection for Android

Related: Google Contributes $1 Million to Rust, Says It Prevented Hundreds of Android Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...