Google has announced the general availability of Device Bound Session Credentials (DBSC) for all Windows users of Chrome, a major security advancement that fundamentally changes how browser sessions are protected against cookie theft attacks.
What is DBSC?
Device Bound Session Credentials (DBSC) is a new web security standard that cryptographically binds browser session cookies to the specific device they were created on, using the device’s Trusted Platform Module (TPM) chip.
This means that even if an attacker steals your session cookies (via malware, XSS, or network interception), those cookies are completely useless on any other device.
How it Works
- When you log into a DBSC-enabled website, Chrome generates a cryptographic key pair stored in the device’s TPM
- The session token is bound to the private key which never leaves the device
- On each request, Chrome proves possession of the private key via a challenge-response mechanism
- Stolen cookies without the private key are rejected by the server
Impact on Security
DBSC effectively neutralizes the most common post-exploitation technique used by infostealers: session cookie theft. This includes attacks by malware families like RedLine, Raccoon, and Vidar that specifically target browser session stores.
Availability
- Available now for all Chrome users on Windows with TPM 2.0
- Requires websites to implement DBSC server-side support
- Google, Cloudflare and Microsoft are early adopters
- macOS and Linux support planned for future releases
Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 3 min.