Giới thiệu Google wants to stop cookie theft once and for all
Google muốn chấm dứt việc đánh cắp cookie một lần cho tất cả.
Google muốn dừng chuyện đánh cắp cookie một cách triệt hạ
#QueenMobile #SảnPhẩmChấtLượng #MuaNgayBạnNhé #Google #BảoMậtThôngTinCáNhân #DừngĐánhCắpCookie
QUEEN MOBILE chuyên cung cấp điện thoại Iphone, máy tính bảng Ipad, đồng hồ Smartwatch và các phụ kiện APPLE và các giải pháp điện tử và nhà thông minh. Queen Mobile rất hân hạnh được phục vụ quý khách….
_____________________________________________________
Mua #Điện_thoại #iphone #ipad #macbook #samsung #xiaomi #poco #oppo #snapdragon giá tốt, hãy ghé [𝑸𝑼𝑬𝑬𝑵 𝑴𝑶𝑩𝑰𝑳𝑬] ✿ 149 Hòa Bình, phường Hiệp Tân, quận Tân Phú, TP HCM
✿ 402B, Hai Bà Trưng, P Tân Định, Q 1, HCM
✿ 287 đường 3/2 P 10, Q 10, HCM
Hotline (miễn phí) 19003190
Thu cũ đổi mới
Rẻ hơn hoàn tiền
Góp 0%
Thời gian làm việc: 9h – 21h.
KẾT LUẬN
Google muốn ngăn chặn việc đánh cắp cookie một cách triệt hạ và hoàn toàn mới. Điều này giúp bảo vệ thông tin cá nhân của người dùng và tăng cường an ninh trực tuyến. Hãy đảm bảo rằng thông tin của bạn luôn được bảo vệ khi sử dụng dịch vụ trực tuyến của Google.
Summary
- Authentication cookies pose security risks when stolen, but Google aims to prevent misuse with device-bound session credentials.
- Google’s new API binds cookies to devices, preventing hackers from logging into accounts on their own machines without using login credentials.
- The company is working on making the security feature a web standard while preserving user privacy and compatibility across devices.
With two-factor authentication and passkeys making logins ever more secure, hackers have started to turn to the next best option to steal credentials: authentication cookies. These valuable datasets are what makes it possible for you to stay logged in on your devices for weeks and months without entering a password, but they can also be stolen and extracted, often far too easily. Google has announced that it’s working on changing that, detailing an open-source project which it hopes will become a web standard some day.
As convenient as cookies are, they carry some security risks with them. Once bad actors acquire them by deploying malware on victims’ machines, they can store and use the cookies on their own servers or sell them to other bad actors. Since authentication cookies only get generated after a successful login, there aren’t any of the usual security measures built in when they’re available for the service provider to see. Currently, there aren’t strong enough security measures in place that prevent a cookie from working on a different machine.
With Google’s proposed Device Bound Session Credentials (DBSC) API, this is supposed to change. The company wants to build a web standard that binds authentication cookies to the device they were issued on, creating a unique handshake between the website and the browser. That way, stolen cookies couldn’t be used to log into accounts anymore on other machines. This would limit hackers to using the stolen cookies on the device of their victim, making it much easier for traditional antivirus protection to stop them from wreaking havoc.
Google also wants to preserve user privacy while building this new API. Sites will not be able to use the unique keys to learn that the logins happened from the same machine. These device-bound cookies can also be deleted just like regular cookies right in the browser. Google says that the “only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”
Google wants to make its cookie theft protection feature a web standard
Source: Google
A high-level schematic overview of how Google wants to secure authentication cookies
The catch with this solution is that not all devices and operating systems are ready for it. Google expects that only about half currently active Chrome installs on desktops are compatible with it, since the solution the company found is based on “facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11.” Google is also exploring fully software based solutions to make sure that people with older computers aren’t left behind. This would also further help prevent websites from using the security feature to segment users and narrow down what kind of device they are more likely to use.
Google has already started testing a DBSC prototype on Chrome Beta with a limited number of Google Account users. While this initial test is built specifically for Chrome and Google Accounts, the company says it’s using the same underlying software that it will also make available to other vendors: “This prototype is integrated with the way Chrome and Google Accounts work together, but is validating and informing all aspects of the public API we want to build.”
According to Google, quite a few companies have expressed interest in the tool, with Okta and Microsoft Edge cited among many others. To make sure the API fits everyone’s needs, Google says it’s working with them to make it a true web standard. Google hopes to make DBSC fully available for testing in all sorts of scenarios by the end of 2024. With passkeys and 2FA authentication becoming more commonplace, it makes sense to secure those cookies that might just offer the simplest path into accounts going forward.