In light of cookie stealing attacks and to ensure Chrome browser protection, Google has recently piloted its new Chrome DBSC. The device-bound session credentials (DBSC) are aimed at protecting users against cookie theft that threat actors may carry out using malware.
It’s worth noting that the Chrome DBSC prototype has only been tested against some users for now, and the aim is to make it an open web standard.
In this article, learn more about the Chrome DBSC and determine how it can help in protecting user data in browsers.
Web cookies have become a fundamental component of the internet. According to Google, they are essential because they improve user behavior. Cookies collect and store your browsing information for multiple functions, like remembering your preferences or keeping you signed in.
Given their extensive utility, cookies can be used by threat actors to carry out their malicious intent. Threat actors often use social engineering tactics to spread cookie theft malware. Prior to determining which protection measures can be used, it’s essential for users to know how such attacks are carried out.
Threat actors use such tactics to get users to bypass security warnings, allowing them to install malware on their devices. Once the malware is installed, it then begins to exfiltrate authentication cookies from the browsers to remote servers. It’s worth noting that these cookie thefts occur after a user has logged in.
What this essentially means is that, for such threat actors, security protocols like two-factor authentication or other constant identity verification protocols are not a feasible option.
To address such theft, Google has begun working on a protection protocol dubbed the Chrome DBSC. According to recent media reports, this protection protocol has been tested against some Google account users and plans to make it an open web standard are underway. According to Google, the DBSC protocol is being developed at https://github.com/WICG/dbsc.
As per the recent report, by binding authentication sessions to the device, DBSC aims to disrupt cookie theft since exfiltrating these cookies will no longer be of value. Google believes that eliminating the value of these cookies will reduce the rate at which cookie theft malware occurs. Shedding further light on the matter, an excerpt from Google’s blog reads:
“Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”
Recent media reports shed light on the Chrome DBSC protection protocol, which aims to cut down on malicious efforts using cryptography. These cryptographics tie the session to the device, making it harder for threat actors to exploit stolen information and compromise user accounts.
The feature is offered through an API that ensures a server is associated with a session using a public key created as part of the browser’s public/private key pair. The Trusted Platform Modules (TPM) store the key pair on the device. Once the key pair is stored on the device, the Chrome DBSC allows the server to implement proof-of-possession of the private key.
This verification protocol can be triggered throughout the session’s lifetime, which can help ensure that the session is indeed active on the same device. The Chrome DBSC protection protocol allows the browser to ensure device-binding of the private key. It also allows the browser to access proofs taken at multiple intervals.
Providing insights into the outcomes of the Chrome DBSC protocol, Kristian Monsen and Arnar Birgisson from Google have stated that:
“The browser can limit malware’s ability to offload its abuse off of the user’s device, significantly increasing the chance that either the browser or server can detect and mitigate cookie theft.”
It’s worth mentioning here that the Chrome DBSC depends on the device’s ability to securely sign challenges and protect private keys from being stolen by malware. Such prerequisites entail that the browser must have access to the TPM where the key pair is stored.
Given the evolving nature of cyber threats, internet users are at an increased risk of falling prey to malware, information theft, data breaches, and malicious events. To safeguard against such threats, both businesses and individuals must familiarize themselves with the cyber threats they face, as this can help develop a robust strategy.
As per recent media reports, Google has stated that the Chrome DBSC will be made available to around half of Chrome desktop users. However, this availability is subject to the hardware capabilities of their systems. The initiative also aligns with the organization’s plan to end third-party cookies in browsers.
It’s worth mentioning here that Google has engaged with other server providers and browser vendors, such as Microsoft Edge and Okta. The interest these parties have expressed serves as the basis for the engagement. In addition, trials for the Chrome DBSC are set to begin by the end of the current year.
In light of the current cyber threat landscape, web browser cookies have become a valuable tool for threat actors, allowing them to carry out their malicious intents. Threat actors can use social engineering tactics to spread cookie theft malware, helping them acquire user credentials that can then be exploited further.
The Chrome DBSC protection protocol can help users eliminate the possibility of falling prey to such attacks. Given that cybercrime activities are becoming increasingly complex, implementing proactive security measures is now essential to offset risk and improve security posture.
The sources for this piece include articles in The Hacker News and PCMag.
The post Google Chrome DBSC Protection Tested Against Cookie Attacks appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/google-chrome-dbsc-protection-tested-against-cookie-attacks/