Google has announced a new security feature for its Chrome browser – Device Bound Session Credentials (DBSC) – which helps keep users more secure against cookie theft.

Cookies are small bits of data that websites store on your computer. They help personalize your online experience by remembering preferences, keeping you logged in, and even tracking your browsing habits for targeted advertising. While cookies offer convenience, they also raise privacy concerns since they can track your activity across different websites.

How DBSC Protects You

Think of DBSC as a digital key tied specifically to your computer or device. When you log into a website, DBSC generates a key pair. The public key is shared with the site, while the private key is securely stored on your device using hardware security measures (like TPMs) or software protection. Throughout your session, the website regularly asks your browser to prove it still has that private key – making stolen cookies useless on another machine.

Buy Me A Coffee

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value,” said Kristian Monsen, a software engineer on Google’s Chrome Counter Abuse team.

“We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”

READ
Google Ups the Bounty: $250,000 for KVM Zero-Day Exploits

While currently in an early prototype phase protecting some Google Account users, the aim is to make DBSC an open web standard. Companies like Microsoft Edge and identity provider Okta have expressed interest. This collaborative approach could lead to broader adoption and enhanced security for everyone online.

Don’t expect DBSC to instantly appear everywhere. Google’s goal is to have origin trials on websites by late 2024. If successful, this could be a significant turning point in the fight against cookie theft, adding another layer of protection to web accounts.