SN 1021: Device Bound Session Credentials - Hotpatching in Win 11, Apple vs. UK - podcast episode cover

SN 1021: Device Bound Session Credentials - Hotpatching in Win 11, Apple vs. UK

Security Now (Audio)
Apr 16, 20253 hr 15 minEp. 1021
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

  • Android to get "Lockdown Mode".
  • What's in the new editions of Chrome and Firefox?
  • Why did Apple silently re-enable automatic updates?
  • My new iPhone 16, Chinese tariffs and electronics.
  • Dynamic "hotpatching" coming to Win11 Enterprise & Edu.
  • Why is it so difficult for Oracle to fess up?
  • Another multi-year breach inside US Treasury.
  • An Apple -vs- the UK update.
  • "Thundermail" (Can't someone come up with a better name?)
  • The (in)Security of Programmable Logic Controllers.
  • When LLM's write code and hallucinate non-existent packages.
  • Wordpress core security and PHP gets an important audit.
  • Device-Bound Session Credentials update session cookie technology

Show Notes - https://www.grc.com/sn/SN-1021-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

Transcript

Primary Navigation Podcasts Club Blog Subscribe Sponsors More… Tech How Device-Bound Session Credentials Will Make the Web More Secure

Apr 18th 2025 by Benito Gonzalez

AI-created, human-edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte discussed an important new web technology that could fundamentally change how we authenticate online: Device-Bound Session Credentials (DBSC). This security innovation promises to make web sessions more secure by binding authentication to your physical device rather than relying solely on traditional cookies.

As Gibson explained, the entire model of the web began as stateless—Sir Timothy Berners-Lee's original World Wide Web was simply "a mass of pages containing links to other pages" with no concept of logging in or maintaining session state. This changed in 1994 when Netscape engineer Lou Montulli developed the concept of browser cookies to retain transaction data.

Traditional cookies, while revolutionary, have significant security limitations. They function as "bearer tokens"—if someone steals your cookie, they can impersonate you online. Despite improvements like HTTPS encryption and secure flags, cookies remain vulnerable to various attacks, including theft and session hijacking.

DBSC represents a major security upgrade by creating a cryptographic binding between your device and web sessions. Here's how it works:

When you authenticate to a website with DBSC, your device's public key is sent to the serverThe website provides short-lived session cookies (unlike today's potentially long-lived cookies)As cookies approach expiration, the browser connects to a special authentication endpointThis endpoint sends a cryptographic challenge that your device must sign using its private keySince the private key never leaves your device's hardware (often stored in the TPM), this proves you're using the original deviceUpon successful verification, fresh short-lived cookies are issued

As Gibson summarized: "Only that one device in the galaxy could [sign the challenge]," making this an extremely secure form of authentication.

DBSC offers several significant advantages:

Better security: Makes session hijacking far more difficultPrivacy protection: Each session uses separate keys that can't be linked to identify the same deviceEase of implementation: Most of the website doesn't need to change; it still sees regular session cookiesReduced friction: Could potentially reduce the need for frequent multi-factor authenticationSeamless experience: Authentication happens invisibly to the user

Leo Laporte noted this could potentially reduce the need for annoying CAPTCHAs and frequent multi-factor authentication requirements when using the same trusted device.

According to Gibson, DBSC has already been implemented in all three major browser engines:

SafariFirefoxChrome (added in version 135)

This means it's also available in Chromium-based browsers like Edge and Brave.

However, widespread adoption requires websites to implement DBSC on their end. Gibson suggested financial institutions, domain registrars, and other security-sensitive services would likely be early adopters.

Device-Bound Session Credentials represent a careful compromise between security and practicality. Previous attempts to replace cookies failed because they were "unwilling to make a compromise," as Gibson noted. DBSC takes a pragmatic approach, using hardware-backed cryptography for periodic verification while still using cookies for moment-to-moment interactions.

As TPM availability continues to grow (currently at about 60% of Windows users), we can expect DBSC to become increasingly important in securing our online activities.

Share: Copied! Security Now #1021
Apr 15 2025 - Device Bound Session Credentials
Hotpatching in Win 11, Apple vs. U… All Tech posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us
Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast