Protecting Cookies with Device Bound Session Credentials

Google has announced public availability of Device Bound Session Credentials (DBSC) for Windows users on Chrome 146, with macOS support coming soon. DBSC cryptographically binds authentication sessions to a specific device using hardware-backed security modules like the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS. The browser generates a unique public/private key pair that cannot be exported from the machine. Servers issue short-lived session cookies contingent on Chrome proving possession of the corresponding private key, rendering any exfiltrated cookies useless to attackers who steal them via infostealer malware such as LummaC2. DBSC shifts from reactive detection to proactive prevention, and Google has observed a significant reduction in session theft since its early rollout. The protocol preserves privacy by using distinct keys per session, preventing cross-session or cross-site correlation. DBSC was designed as an open web standard through the W3C process with input from Microsoft and industry partners, including Okta. Future improvements include securing federated identity with cross-origin bindings for SSO, advanced registration using pre-existing trusted key material, and broader device support including software-based keys.

https://security.googleblog.com/2026/04/protecting-cookies-with-device-bound.html

Comments

Post a Comment

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

In the blog post “Prompt Engineering Requires Evaluation” on the Shostack + Associates website, the author argues that treating prompts for large language models (LLMs) merely as creative artefacts is insufficient. Engineering prompts properly demands structured evaluation frameworks — what the AI community calls “evals” — to test which prompt versions work better, with which models, and under which conditions. The post highlights that simply assuming a prompt is “good enough” creates risks when LLMs are integrated into production systems (e.g., for threat modeling). It advocates for measuring prompt performance, variation effects, and tool-chain dependencies (model, context, ancillary materials).  Ultimately the message is: prompt engineering should borrow disciplined practices from software engineering (versioning, testing, benchmarking) rather than relying on informal experimentation.  https://shostack.org/blog/prompt-enignieering-requires-evaluation/
Read more

KEVIntel: Real-Time Intelligence on Exploited Vulnerabilities

KEVIntel is a dynamic platform providing up-to-date information on known exploited vulnerabilities (KEVs). It aggregates data from over 50 public sources, including CISA, and enriches each entry with metadata such as EPSS scores, online mentions, scanner inclusion, and exploitation status. The platform aims to serve as an early warning system, offering insights even before official publications. KEVIntel supports various formats like JSON, CSV, and RSS, facilitating integration into security operations. These entries include CVSS scores, exploit status, and links to proof-of-concept code, aiding organizations in prioritizing remediation efforts.   https://kevintel.com/
Read more

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

 SecObserve is an open-source tool for managing vulnerabilities and licenses in software development and cloud environments. It integrates various vulnerability scanners into CI/CD pipelines using GitLab CI templates and GitHub Actions for streamlined setup. It offers a centralized dashboard for assessing and reporting vulnerabilities, with tools for filtering, sorting, and evaluating results. SecObserve supports automation and manual assessments to focus on resolving critical issues.  https://github.com/MaibornWolff/SecObserve/tree/dev
Read more