April 3, 2024 at 10:15AM
Google is testing Device Bound Session Credentials (DBSC) in Chrome to protect against session hijacking by malware. The feature binds authentication sessions to a device, disrupting cookie theft and making it harder to abuse stolen cookies. It uses a cryptographic approach and is initially rolled out to half of Chrome’s desktop users.
Key Takeaways from the Meeting Notes:
– Google is piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to protect users against session cookie theft by malware.
– DBSC aims to disrupt the cookie theft industry by binding authentication sessions to the device, making it harder for adversaries to abuse stolen cookies and hijack accounts.
– The feature utilizes a cryptographic approach that ties together sessions to the device, making it challenging for malware to offload its abuse off of the user’s device.
– DBSC utilizes Trusted Platform Modules (TPMs) to store the key pair locally on the device and allows the server to verify proof-of-possession of the private key throughout the session lifetime.
– Support for DBSC will initially be rolled out to roughly half of Chrome’s desktop users based on the hardware capabilities of their machines, and origin trials for DBSC for all supported websites are set to commence by the end of the year.
– Google is engaging with several server providers, identity providers, and browser vendors to bring DBSC to a wider audience.
Overall, the development of DBSC in Chrome aims to enhance the security of user authentication sessions and protect against cookie theft by malware, thereby improving the overall security of online accounts and browsing experiences.