Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Google Introduces 'Device Bound Session Credentials' To Protect Cookies With Cryptography

When browsing the web, cookies can be useful, because they can be used to save site preferences and browsing information for a more seamless experience.

But at the same time, because cookies can store a lot of information about users, they can also be used to track users. And malicious people can also steal cookies to steal users' data. Google wants to prevent this.

The company has unveiled Device Bound Session Credentials (DBSC), which the company said can protect you against malware that steals cookies.

As Google explains in a blog post, attackers typically pull authentication cookies from browsers on targets' device and move them to remote servers. They then sell access to the compromised accounts.

DBSC is meant to significantly cut down on cookie theft from occurring in the first place.

"By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices."

DBSC works when the browser starts a new session, and that it creates a new public/private key pair locally on the device, and then gets the operating system to safely store the private key.

Google explained that its Chrome browser will use Trusted Platform Module (TPM) for that.

Traditionally, malware that targets cookies steal cookies by copying them from users' hard drive, The hacker can then use the stolen cookies to steal session information to access users' data from websites the cookies are associated with.

DBSC combat this threat using a cryptographic key to tie a session to the user's specific computer or device.

This process is performed only if users are actively using the session.

The DBSC API allows a web server to associate users' session with the public key generated, and the session can be periodically refreshed with cryptographic proof.

A high level overview of Device Bound Session Credentials.

The prototype, which is initially tested by "some" Google Account users running Chrome Beta, is built with an aim to make it an open web standard, the tech giant's Chromium team said.

This test is meant to gauge DBSC's reliability and feasibility.

Once ready, Google plans to roll out DSBC to consumer and enterprise Chrome users via an automatic update.

At this time, Google is developing DBSC on GitHub, with a goal of fully launching it at the end of 2024.

Related Articles

Published: 
04/04/2024
News
Google
Chrome
Browser
Privacy
Review


This post first appeared on Eyerys | Eyes For Solution, please read the originial post: here

Share the post

Google Introduces 'Device Bound Session Credentials' To Protect Cookies With Cryptography

×

Subscribe to Eyerys | Eyes For Solution

Get updates delivered right to your inbox!

Thank you for your subscription

×