DBSC makes cookies useless for hacking.
The new Google Chrome update adds a new security feature aimed at combating the theft of user credentials. The Device Bound Session Credentials ( DBSC) technology promises to significantly complicate the task of attackers seeking to steal cookies to access user accounts.
Cookies are files that websites use to store information about users visits and preferences, as well as to automatically log in to the system. The problem is that cybercriminals using malware can steal cookies, thereby bypassing multi-factor authentication (MFA) requests and hijacking accounts.
Device Bound Session Credentials ("Device Bound Session Credentials") consists of cryptographically binding authentication cookies to a specific user device. This is achieved by creating a unique public / private key pair using a Trusted Platform Module (TPM) chip, which cannot be exported and is securely stored on the user's device. Thus, even if cookies are stolen, an attacker will not be able to use them to access your accounts.
Chrome noted that the new feature will disrupt the usual course of action of hackers, since stolen cookies will no longer have value. Attackers will have to act locally on the device, which makes it easier to detect and remove malware for both antivirus programs and managed corporate devices.
The feature is currently in the prototype stage, but is already available for testing on the Chromium-based operating systems Windows, Linux and macOS. For the test, just enter "chrome://flags/" in the address bar and enable the special "enable-bound-session-credentials"flag.
DBSC works so that the server can start a new session with the browser and associate it with the public key stored on the user's device. Each session is protected with a unique key, preserving the user's privacy, and the server receives only the public key for subsequent verification. The technology does not allow sites to track the user between different sessions on the same device, and the created keys can be deleted at any time.
The new security feature is expected to be supported on about half of all Chrome desktop devices and will be fully consistent with the phasing out of third-party cookies in Chrome. Chrome said that after full implementation, consumers and corporate users will automatically receive improved security for their Google accounts.
The new Google Chrome update adds a new security feature aimed at combating the theft of user credentials. The Device Bound Session Credentials ( DBSC) technology promises to significantly complicate the task of attackers seeking to steal cookies to access user accounts.
Cookies are files that websites use to store information about users visits and preferences, as well as to automatically log in to the system. The problem is that cybercriminals using malware can steal cookies, thereby bypassing multi-factor authentication (MFA) requests and hijacking accounts.
Device Bound Session Credentials ("Device Bound Session Credentials") consists of cryptographically binding authentication cookies to a specific user device. This is achieved by creating a unique public / private key pair using a Trusted Platform Module (TPM) chip, which cannot be exported and is securely stored on the user's device. Thus, even if cookies are stolen, an attacker will not be able to use them to access your accounts.
Chrome noted that the new feature will disrupt the usual course of action of hackers, since stolen cookies will no longer have value. Attackers will have to act locally on the device, which makes it easier to detect and remove malware for both antivirus programs and managed corporate devices.
The feature is currently in the prototype stage, but is already available for testing on the Chromium-based operating systems Windows, Linux and macOS. For the test, just enter "chrome://flags/" in the address bar and enable the special "enable-bound-session-credentials"flag.
DBSC works so that the server can start a new session with the browser and associate it with the public key stored on the user's device. Each session is protected with a unique key, preserving the user's privacy, and the server receives only the public key for subsequent verification. The technology does not allow sites to track the user between different sessions on the same device, and the created keys can be deleted at any time.
The new security feature is expected to be supported on about half of all Chrome desktop devices and will be fully consistent with the phasing out of third-party cookies in Chrome. Chrome said that after full implementation, consumers and corporate users will automatically receive improved security for their Google accounts.
