[flagged]

The first sentence

> HTTP cookies were never intended for session management

Seems odd. IIRC that's exactly what they were meant for. State management for http which is stateless. Am I missing some history here?

Related:

Defending against account takeovers with passkeys and DBSC (11 points, 1 month ago) https://news.ycombinator.com/item?id=44725402

Chrome Origin Trial: Device Bound Session Credentials (85 points, 4 months ago, 80 comments) https://news.ycombinator.com/item?id=43865379

Device Bound Session Credentials Explainer (14 points, 2024, 5 comments) https://news.ycombinator.com/item?id=39926961

I hope it catches on! Though they suggest storing the signing keys in TPM which is ideal, even storing them locally in the browser in an unextractable manner would be enough to prevent session hijacking.

There’s going to be a lot of LinkedIn scrapers and tools that are going to stop working if LinkedIn adopt this - a lot of these tools work off particular session cookies you share with them

If TPM is used then the regular session cookies are also secure, just in a different way. One can use hardware based attestation to tie the session token/cookie to the device and so they cannot be stolen or forged.

DBSC will run into all the same problems on platforms that don’t support TPMs. Not sure how this is changing the landscape. It’s just another implementation of the same thing.

We're still in the infancy of agentic AI, but I imagine that in the next few years, it's going to be more important to be able to grant an agent your credentials to perform operations on your behalf. Basically, you want the agent to be able to do all the same things you can do. But perhaps the agent doesn't live on your local device. I'm not saying that DBSC isn't beneficial, but I think we also need to be thinking of ways to grant AI agents permissions that used to be solely tied to the user's session.

See also: RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)

https://datatracker.ietf.org/doc/html/rfc9449

The spec doesn't say where you store the key material, but you could reasonably put it in a TPM.

I think Microsoft has also been working on this and protected resources using Conditional Access can enforce a requirement for DBT?

https://learn.microsoft.com/en-us/entra/msal/javascript/brow...

I think the DBSC is on the right direction but while it generates separate keys per session to prevent cross-session tracking (Google's ultimate ad dream), the spec acknowledges a critical vulnerability: malicious sites can collaborate by attempting to guess public keys until they find matches, creating persistent cross-site user identifiers, essentially weaponizing the security feature into the ultimate tracking system that survives cookie deletion and VPN usage

The article claims this is based on Token Binding, but skimming the W3 spec it seems to be something entirely different and not at all to be based on or related to TLS Token Binding (with an integration already envisaged by the WebAuthN spec). TB doesn't need or rely on a TPM at all, it conceptually just ties bearer tokens to a key which is (re-)used across TLS sessions; for upper layers this is transparent, but for attackers it makes it much harder to use exfiltrated tokens.

Unless you're paying me a lot of money (and even then) I WILL NOT MAINTAIN AN HSM FOR YOUR SERVICE. PLEASE FUCK OFF.

If you cared about security you would let me authenticate with ssh key signatures. GitHub does this, if you can manage to talk to an HSM you can manage to talk to the openssh agent.

Funny how we're going back to AOL times: fenced off network, pay-to-play. We've required ISPs to play fair though net neutrality only to have similar barriers put in place a decade later by upstream software incumbents.

This will break and fracture the web. Unfortunately many here have much to lose by criticizing google. I have just spent 8 hours today updating my apps on the google play store, answering business emails on my google email account and updating customer tracking data on google analytics and updating their google ads.

If they decide to make an example out of me, to teach the rest of you how to behave, I am screwed. I guess that's the "freedom" you US based folks are talking about. This has already been affecting the discourse on sites like HN for a while.

A few years ago I would read this headline with hope and excitement about technological innovation.

Right now, I am apprehensive about anything Google related. Even about anything big tech related. How is this going to be used to limit our rights and track all our movements?