🕷️
SetupAI
🏠Freshcollected in 83m

Chrome 146 Adds DBSC to Thwart Cookie Attacks

Chrome 146 Adds DBSC to Thwart Cookie Attacks
PostLinkedIn
🏠Read original on IT之家
#web-security#tpm#session-bindinggoogle-chrome

💡Chrome DBSC kills cookie theft—fortify AI SaaS logins against hijacks today.

⚡ 30-Second TL;DR

What Changed

DBSC uses TPM to generate non-exportable public/private key pairs stored locally.

Why It Matters

This feature fundamentally weakens session hijacking via cookies, boosting web app security without developer overhauls. It sets a new standard for device-bound auth, benefiting high-security AI web services. Adoption could reduce phishing success rates industry-wide.

What To Do Next

Upgrade to Chrome 146 on Windows and prototype DBSC session upgrades for your AI web app authentication.

Who should care:Developers & AI Engineers

🧠 Deep Insight

AI-generated analysis for this event.

🔑 Enhanced Key Takeaways

  • DBSC is part of the broader 'Privacy Sandbox' initiative, specifically aiming to mitigate session hijacking without relying on third-party tracking cookies.
  • The protocol utilizes the IETF 'Token Binding' concepts, evolving them into a more modern, browser-native implementation that avoids previous OS-level limitations.
  • Google is actively collaborating with major identity providers and SaaS platforms to standardize the DBSC handshake, ensuring interoperability beyond just the Chrome ecosystem.

🛠️ Technical Deep Dive

  • DBSC utilizes the WebAuthn API infrastructure to interact with the device's Trusted Platform Module (TPM) or Secure Enclave.
  • The session binding process involves the server issuing a challenge that the browser must sign using a private key generated specifically for that session and origin.
  • The private key is marked as 'non-exportable' by the hardware, ensuring it cannot be extracted even if the operating system is compromised.
  • The protocol supports a 'rotation' mechanism where the browser periodically generates new key pairs to prevent long-term key exposure.

🔮 Future ImplicationsAI analysis grounded in cited sources

Session hijacking via malware-based cookie theft will decline by over 80% for DBSC-enabled sites.
By rendering stolen session tokens useless on attacker-controlled hardware, the primary incentive for mass-market infostealer malware is neutralized.
Browser-based authentication will shift toward hardware-bound standards as the default for enterprise applications.
The integration of TPM-backed security into standard web flows lowers the barrier for enterprises to enforce device-trust policies without requiring proprietary client software.

Timeline

2024-04
Google announces the initial proposal for Device Bound Session Credentials (DBSC) to the W3C.
2024-09
Chrome begins an origin trial for DBSC, allowing developers to test session binding on specific sites.
2026-03
Google officially promotes DBSC to stable release status in Chrome 146 for Windows.
🏠Read original article on IT之家
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

Same topic

Explore #web-security

Same product

More on google-chrome

Same source

Latest from IT之家

China Cracks Down on Labeled AI Rumors

China Cracks Down on Labeled AI Rumors

IT之家Apr 10
Lenovo RTX 5060 Zhan 7000 Laptop at 7699 CNY

Lenovo RTX 5060 Zhan 7000 Laptop at 7699 CNY

IT之家Apr 10

AI-curated news aggregator. All content rights belong to original publishers.
Original source: IT之家

Chrome 146 Adds DBSC to Thwart Cookie Attacks | IT之家 | SetupAI | SetupAI