Google bakes new cookie strategy that will leave crooks with a bad taste

Device Bound Session Credentials said to render cookie theft useless

Google reckons that cookie theft is a problem for users, and is seeking to address it with a mechanism to tie authentication data to a specific device, rendering any stolen cookies useless.

Cookies are still widely used by websites, which get the browser to save information on a session locally to a small file (the cookie) stored on the computer to keep users signed in and store their site preferences.

But malware can target cookies, simply copying them from the user's hard drive and sending them back to a remote attacker, who can then potentially use the session information in the cookie to access user data from the websites they are associated with.

Now Google says it is working on a new web capability it dubs Device Bound Session Credentials (DBSC) to combat this threat. The idea behind this is to use a cryptographic key to tie a session to the user's specific computer or device.

"By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware," said Kristian Monsen of the Chrome Counter Abuse team, writing on Google's Chromium Blog.

It is expected to work like this: when the browser starts a new session, it creates a new public/private key pair locally on the device, and then gets the operating system to safely store the private key. Google says that its Chrome browser will use facilities such as a Trusted Platform Module (TPM) for that.

The DBSC API allows a web server to associate a session with the public key generated, and the session can be periodically refreshed with cryptographic proof the session is still bound to the original device. This is performed out-of-band from regular web traffic, and only if the user is actively using the session.

According to Google, privacy is protected because each session is backed by a unique key and DBSC does not enable sites to correlate keys from different sessions open on the same device. The only information sent to the server is the per-session public key which the server uses to certify proof of key possession.

Google expects the Chrome browser will initially support DBSC "for roughly half of desktop users," based on the current hardware capabilities of the machines out there. For example, not all computers have a TPM, but they are likely to become more common since Microsoft made one a requirement to run Windows 11, and there are software-based alternatives.

"We may consider supporting software keys for all users regardless of hardware capabilities. This would ensure that DBSC will not let servers differentiate between users based on hardware features or device state," Monsen said.

This is all very well, but DBSC is unlikely to catch on if only Google implements the technology. According to Monsen, interest has been expressed by others in the industry, including identity providers and even Microsoft for its own Edge browser. Google is also developing the project in the open on GitHub, with the goal of becoming an open web standard, he added.

For those interested, an explainer is available in the GitHub README for the project.

Google said that DBSC will be "fully aligned" with its phase-out of third-party cookies in Chrome, and said it is currently experimenting using the tech to protect some Google Account users running Chrome Beta.

"This is an early initiative to gauge the reliability, feasibility, and the latency of the protocol on a complex site, while also providing meaningful protection to our users," Monsen said.

"When it's deployed fully, consumers and enterprise users will get upgraded security for their Google accounts under the hood automatically. We are also working to enable this technology for our Google Workspace and Google Cloud customers to provide another layer of account security."

Readers with long memories may recall that Intel once tried to pitch a unique processor serial number (PSN) embedded in each CPU, claiming similar security benefits, but it was forced to discontinue this when a row erupted over the possibility for the serial number to be used to track users online. ®

More about


Send us news

Other stories you might like