TrickorTip.com – Currently, there are many malwares (especially malicious extensions) that steal cookies saved by browsers. Some of these cookies are reserved by verified websites, that is, generated after users log in to their accounts. Therefore, malware can use them after stealing them. Cookies directly access user accounts without requiring account passwords and can bypass 2FA authentication.
In fact, this situation has been going on for many, many years. Now Google Chrome is finally starting to add new plans to resist this attack. The principle is not complicated: the generated cookies must be bound to the local device, that is, after leaving this device, It is no longer available.
The new feature proposed by the Chrome team is called Device Binding Session Credentials (DBSC), which binds the authentication session to the current device through the device’s local public key/private key pair. The private key can be encrypted and saved using the TPM Trusted Platform Module. Or it may be stored with the desktop operating system using a software-based method, making it difficult to export as well.
Naturally, the credentials cannot be decrypted without the private key, so whether a hacker wants to steal Cookies or use stolen Cookies to log in, the difficulty will be greatly increased.
It is worth noting that this feature also requires API support. This new API will serve as a replacement or enhancement for the existing Cookies function , verifying the possession of the private key throughout the session life cycle (that is, before expiration).
Each session will be backed by a unique key, and DBSC does not allow different websites to associate keys for different sessions on the same device to avoid tracking users in this way.
Google also emphasizes that the only information DBSC sends to the server is the public key of each session. The server will use this public key to verify the key and will not reveal other information about the device itself, such as IP address, operating system, browser version, resolution rate, language, etc. (but the website itself can collect this information in other ways)
However, this function cannot be completed directly by Google Chrome. In fact, it requires the joint efforts of operating system developers and website developers. Google hopes to turn DBSC into an open network standard. Currently, the Microsoft Edge team, Okta and other authentication providers are Interested in this standard.
