Google Introduces Device Bound Session Credentials to Combat Cookie Theft

In a significant move to enhance online security, Google's Chromium team has unveiled a groundbreaking initiative called Device Bound Session Credentials (DBSC). This innovative technology aims to safeguard users against the pervasive threat of cookie theft malware, which has victimized countless individuals across the web.

Cookies, the small files created by websites to store browsing information and improve user experience, have long been a prime target for attackers.

Malware-as-a-Service (MaaS) operators frequently employ social engineering tactics to trick users into installing cookie theft malware on their devices. Once installed, the malware exfiltrates all authentication cookies from the user's browsers to remote servers, enabling attackers to curate and sell the compromised accounts on the black market.

To address this alarming issue, Google is developing DBSC as an open web standard. By binding authentication sessions to specific devices, DBSC renders stolen cookies worthless to attackers.

This proactive measure is expected to substantially reduce the success rate of cookie theft malware, forcing attackers to resort to less effective local actions on devices, which can be more easily detected and cleaned up by anti-virus software and enterprise management tools.

The DBSC API allows servers to start new sessions with specific browsers on a device, utilizing a unique public/private key pair generated locally on the device.

The private key is securely stored using the operating system's facilities, such as Trusted Platform Modules (TPMs), making it difficult to export. Throughout the session, the server can verify proof of possession of the private key, ensuring that the session remains on the same device.

Google has prioritized user privacy in the development of DBSC. Each session is backed by a unique key, preventing sites from correlating keys from different sessions on the same device. Users retain control over their data, with the ability to delete the created keys at any time through Chrome settings. Additionally, the out-of-band refresh of short-term cookies only occurs when a user is actively using the session, minimizing unnecessary data transfer.

Currently, Google is experimenting with a DBSC prototype to protect a subset of Google Account users running Chrome Beta.

This initiative aims to assess the reliability, feasibility, and latency of the protocol on a complex site while providing meaningful protection to users. Once fully deployed, both consumers and enterprise users will benefit from enhanced account security automatically.

For developers, the DBSC project is being developed openly on GitHub, to become an open web standard. Google encourages interested parties to get involved by providing feedback, opening issues, or starting discussions on the GitHub repository. The estimated timeline indicates that origin trials for all interested websites are expected to be available by the end of 2024.

The introduction of Device Bound Session Credentials marks a significant step forward in the fight against cookie theft and online account compromises.

By collaborating with server providers, identity providers, and other browser vendors, Google aims to present a standard that works seamlessly across different websites while preserving user privacy. As the project progresses, users can look forward to a more secure online experience, knowing that their accounts are better protected against the ever-evolving threats in the digital landscape.