Google muốn dừng chuyện đánh cắp cookie một cách triệt hạ
#QueenMobile #SảnPhẩmChấtLượng #MuaNgayBạnNhé #Google #BảoMậtThôngTinCáNhân #DừngĐánhCắpCookie

Thời gian làm việc: 9h – 21h.

KẾT LUẬN

Google muốn ngăn chặn việc đánh cắp cookie một cách triệt hạ và hoàn toàn mới. Điều này giúp bảo vệ thông tin cá nhân của người dùng và tăng cường an ninh trực tuyến. Hãy đảm bảo rằng thông tin của bạn luôn được bảo vệ khi sử dụng dịch vụ trực tuyến của Google.

With two-factor authentication and passkeys making logins ever more secure, hackers have started to turn to the next best option to steal credentials: authentication cookies. These valuable datasets are what makes it possible for you to stay logged in on your devices for weeks and months without entering a password, but they can also be stolen and extracted, often far too easily. Google has announced that it’s working on changing that, detailing an open-source project which it hopes will become a web standard some day.

As convenient as cookies are, they carry some security risks with them. Once bad actors acquire them by deploying malware on victims’ machines, they can store and use the cookies on their own servers or sell them to other bad actors. Since authentication cookies only get generated after a successful login, there aren’t any of the usual security measures built in when they’re available for the service provider to see. Currently, there aren’t strong enough security measures in place that prevent a cookie from working on a different machine.

With Google’s proposed Device Bound Session Credentials (DBSC) API, this is supposed to change. The company wants to build a web standard that binds authentication cookies to the device they were issued on, creating a unique handshake between the website and the browser. That way, stolen cookies couldn’t be used to log into accounts anymore on other machines. This would limit hackers to using the stolen cookies on the device of their victim, making it much easier for traditional antivirus protection to stop them from wreaking havoc.

Google also wants to preserve user privacy while building this new API. Sites will not be able to use the unique keys to learn that the logins happened from the same machine. These device-bound cookies can also be deleted just like regular cookies right in the browser. Google says that the “only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”

Google wants to make its cookie theft protection feature a web standard

Source: Google

A high-level schematic overview of how Google wants to secure authentication cookies

The catch with this solution is that not all devices and operating systems are ready for it. Google expects that only about half currently active Chrome installs on desktops are compatible with it, since the solution the company found is based on “facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11.” Google is also exploring fully software based solutions to make sure that people with older computers aren’t left behind. This would also further help prevent websites from using the security feature to segment users and narrow down what kind of device they are more likely to use.

Google has already started testing a DBSC prototype on Chrome Beta with a limited number of Google Account users. While this initial test is built specifically for Chrome and Google Accounts, the company says it’s using the same underlying software that it will also make available to other vendors: “This prototype is integrated with the way Chrome and Google Accounts work together, but is validating and informing all aspects of the public API we want to build.”

According to Google, quite a few companies have expressed interest in the tool, with Okta and Microsoft Edge cited among many others. To make sure the API fits everyone’s needs, Google says it’s working with them to make it a true web standard. Google hopes to make DBSC fully available for testing in all sorts of scenarios by the end of 2024. With passkeys and 2FA authentication becoming more commonplace, it makes sense to secure those cookies that might just offer the simplest path into accounts going forward.