Google Debuts Device-Bound Session Credentials Against Session Hijacking
13 days ago
- #session-management
- #security
- #cryptography
- Feisty Duck’s Cryptography & Security Newsletter provides updates on cryptography, security, privacy, SSL/TLS, and PKI.
- HTTP cookies were repurposed for session management, leading to security issues like session hijacking.
- Efforts to secure cookies included features like Secure flag, HttpOnly flag, Name Prefixes, and Same-Site concept.
- Session hijacking initially exploited lack of encryption, with tools like Firesheep automating attacks.
- HTTPS and secure cookies reduced session hijacking, but attackers shifted to cookie-theft malware (infostealers).
- Google introduced Device-Bound Session Credentials (DBSC) to enhance session security using public-key cryptography and TPM.
- DBSC makes session identifiers useless on other devices, potentially ending session hijacking.
- The 34th Usenix Security Symposium materials are available, featuring numerous cryptography-related papers.
- Feisty Duck offers a trainer-led course on deploying secure servers and encrypted web applications.