Traditional security practices are great tools for protecting your digital life. If you use a unique password for each of your accounts and setups Two-Factor Authentication (2FA) For anyone who supports it, hackers will have a hard time getting your data. However, even 2FA is not foolproof: hackers still have the tools to bypass your security measures and enter your online spaces, through no fault of your own.
Fortunately, Google is now introducing a new security measure that will mitigate these vulnerabilities. As long as you’re running the latest version of Chrome, people trying to get into your account will now face an even tougher uphill battle.
How Session Cookies Put Your Account at Risk
Reported by a bleeping computerGoogle officially introduced “Device Bound Session Certificates” (DBSC) for Chrome this week. To understand DBSC, however, you have to understand how Session Cookies Working When you sign into a website on your browser, that site presents you with a unique ID. This ID is stored as a small file on your device—a session cookie. The idea is to let a website keep track of you as you browse its various web pages.
is A number of uses for session cookiesIncluding shopping carts and websites with multiple pages, but for the purposes of this explanation, the important thing to know is that they are used to maintain your login session. A website may use a session cookie to “remember” that you are logged in—such as giving you a wristband when you enter a ticketed event. This way, you don’t need to re-authenticate every time you access the site: you can also enter your password and 2FA code once, and be able to return to the website without repeating the process (at least until the session cookie expires).
While session cookies only last on the device that created them (and temporarily at that), they are a prime target for hackers. If someone is able to steal your session cookies, they can impersonate your login on their device—even if the website in question uses 2FA for added security. Usually, such websites will ask for your username, password and 2FA code before allowing the login to proceed. But if a hacker steals your session cookie, they can trick websites into thinking that you’ve already authenticated yourself on the device. In other words, they have stolen your wristband and put it on their own wrist. The bouncer won’t know he stole it; They will just see that they have it, and assume that their ticket was already checked.
Google Chrome’s new security feature prevents session cookie theft
DBSC works by ensuring that your session cookies are stored in a location that is difficult for hackers to access. Going forward, all session cookies generated in Chrome (and on other Chromium-based browsers) will be stored in your PC’s Trusted Platform module or your Mac’s Secure Enclave. These chips are designed to hold sensitive data and protect it with encryption. Only the security chip has the keys to decrypt the information there. That means that even if hackers successfully infect your Mac or PC with malware, they’ll have a very hard time cracking the security chip and stealing your session cookies.
After first announcing it in 2024, Google has been beta testing DBSC since April. Now, it’s available to virtually all Chrome users, including workspace and enterprise users, as well as personal accounts. While Google’s original announcement only clearly indicated that the feature was available in Chrome for Windows, Its DBSC help page notes that it is also available for Mac.
What do you think so far?
How to make sure you’re running DBSC in Chrome
Google says DBSC is enabled by default for all Workspace Chrome users, and administrators can’t turn it off. The company doesn’t specify whether it also applies to personal accounts, though chances are, it does. I’ve contacted Google for clarification and will update this article if I get a response.
However, Google doesn’t seem to retroactively add DBSC to all Chrome versions. According to the DBSC help page, this feature is available in Chrome version 146 or later on Windows and Chrome version 148 or later on Mac. To make sure you’re running DBSC, you just have to install the latest version of Chrome on your end to be safe.
To update, click the three dots at the top right, then select Help > About Google Chrome. Allow Chrome to check for the latest update and, if one is available, select “Relaunch” to install it.
