"DBSC fights session cookie theft by cryptographically binding authentication sessions to the user's device, thus rendering stolen cookies useless. Once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies."
"Because attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless to those attackers. Websites can adopt the protection through dedicated registration and refresh endpoints, and the browser handles the cryptography and cookie rotation."
"An early version of the protocol that was rolled out last year has demonstrated a significant reduction in session theft when DBSC was enabled. Because each browser session is backed by a different key, websites cannot use them to track users across sessions or sites."
Google has launched Device Bound Session Credentials (DBSC) in Chrome 146 to combat session cookie theft. This feature binds authentication sessions to the user's device, making stolen cookies ineffective. DBSC utilizes hardware-backed security modules to create a unique key pair, allowing Chrome to issue short-lived session cookies. This approach prevents attackers from using stolen cookies, as they expire quickly. Websites can implement DBSC through specific endpoints, and the browser manages cryptography and cookie rotation, ensuring standard cookie functionality remains intact.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]