April 3, 2024 at 08:11AM
Google is addressing cookie theft by developing Device Bound Session Credentials (DBSC) to tie authentication data to a specific device, making stolen cookies useless. DBSC creates public/private key pairs and associates sessions with the public key, preventing correlation between keys from different sessions to protect privacy. Google expects to support DBSC for roughly half of desktop users initially.
The meeting notes provide an overview of Google’s efforts to address the issue of cookie theft by introducing a new web capability called Device Bound Session Credentials (DBSC). This new mechanism aims to tie authentication data to a specific device, rendering stolen cookies useless and disrupting the cookie theft industry.
The DBSC API involves the creation of a new public/private key pair on the user’s device, with the private key securely stored by the operating system, potentially using a Trusted Platform Module (TPM). Web servers can then associate a session with the public key, and the session can be periodically refreshed with cryptographic proof of its association with the original device.
Notably, Google aims to make DBSC an open web standard and has garnered interest from others in the industry, including identity providers and Microsoft for its Edge browser. The project is being developed in the open on GitHub, and Google plans to fully align DBSC with its phase-out of third-party cookies in Chrome.
Google also mentioned that it is currently experimenting with using DBSC to protect some Google Account users running Chrome Beta, with plans to provide upgraded security for consumers, enterprise users, Google Workspace, and Google Cloud customers.
Overall, the introduction of DBSC is a significant step towards enhancing account security, though it is important to ensure widespread adoption across the industry.
Let me know if you need anything else!