Chrome to Fight Cookie Theft With Device Bound Session Credentials 

Chrome to Fight Cookie Theft With Device Bound Session Credentials 

April 2, 2024 at 12:45PM

Google is introducing Device Bound Session Credentials (DBSC) to Chrome, preventing cookie theft by binding browser authentication sessions to the device. This technology, developed by the Web Incubator Community Group, uses private key authentication. DBSC ensures sessions are secure and deters cookie theft malware, with plans for widespread implementation by 2024.

From the meeting notes, it is clear that Google is introducing new user protection capabilities to Chrome in the form of Device Bound Session Credentials (DBSC). These credentials rely on authentication with a private key to enhance session security and reduce the success rate of cookie theft malware.

DBSC creates a session between the server and the browser associated with a pair of public and private keys stored securely on the device. This aims to force attackers to act locally on the device, making on-device detection and cleanup more effective against malware.

The technology provides websites with an API to control the lifetime of keys and the protocol to check for proof of possession, ensuring improved account security for both consumers and enterprise users. It is expected to be available in Chrome for half of its desktop users, with plans for full deployment by the end of 2024.

Furthermore, Google is taking steps to align the implementation of DBSC with the phase-out of third-party cookies and ensure that it does not become a new tracking vector. Additionally, the internet giant is working to enable this technology for Google Workspace and Google Cloud customers to provide an additional layer of account security.

Overall, the introduction of DBSC represents a significant advancement in improving user security and mitigating the risks associated with cookie theft and online account compromise.

Full Article