Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.
To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.
Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.
A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.
Device Bound Session Credentials
As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.
Google explains:
By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.
Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.
Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.
Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.
Going forward
Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.
You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.