The DBSC protocol works by binding session cookies to a specific device using hardware-backed cryptographic keys. On Windows systems, this relies on the Trusted Platform Module (TPM), while macOS devices use the Secure Enclave. When a user authenticates, Chrome generates a unique public-private key pair stored securely on the device, with the private key never leaving the hardware. Servers then require proof of possession of this private key before issuing or refreshing short-lived session cookies.
This approach renders stolen cookies effectively useless. Even if malware exfiltrates the cookie data, attackers cannot authenticate without access to the device-bound private key. Additionally, DBSC enforces frequent cookie rotation, further reducing the window of opportunity for misuse.
Can someone ELI5 and simply?
This change would prevent attacks where an attacker can obtain the cookies in your browser and use them to log into your accounts.
This is the first time I’m hearing about this, but this is big news since this attack is not theoretical. It actually happened to the Linus Tech Tips team back in 2023 where one of his employees opened a malicious pdf file that stole the employee’s browser cookies and logged into their social accounts to post cryptocurrency scams.
This chrome security feature would prevent this attack completely. With this feature implemented, the attacker would obtain the browser cookies and not be able to use them since they’re not on the employee’s computer.
I can’t wait to see this implemented! I’ll be using it in Brave! 
Thank you!
Imagine you go to a club. When you walk in, the person at the door gives you a wristband with a number on it. That wristband is like a session cookie.
Now the number on the wristband? That’s the session token. It’s a code that matches you to your jacket in the cubby, your shoes, your drink order. The club keeps a list in the back that says “wristband #472 = ToughBird, he ordered apple juice and has a blue jacket.”
So every time you go up to the counter and show your wristband, they look at the number and know how you are. You don’t have to tell them your name and order every single time.
When you leave the club(log out), they take the wristband back and throw away the note. Next time you visit, you get a brand-new wristband with a new number.
If someone would now steal your wristband they could impersonate you. That someone is malware or to be more precise an info stealer.
Now the club owner is aware of the issue and wants to fix it. The Club owner being Google.
They invented a new magic wristband that only you are able to use. If someone snatched it away from you, he could not use it anymore.
That’s a hardware-bound session token.
Thank you too! Appreciate it.
This is great news, however I get the feeling that Linux will be left out.
- They are realizing it on Windows and planning to release it on macOS, however not on Linux.
- It requires TPM2.0 to work properly. Many Linux users do not have an active TPM2.0 and, at least from my experience, the UEFI disabled the TPM2.0 as soon as SecureBoot is disabled.
SecureBoot as well as TPM2.0, at least for now, on Linux are more the expection as a common standard. Especially if you have an Nvidia GPU.
I hope Google plans to release it also on Linux and comes up with a way to do it, but I do not have big hopes in that.
Won’t Brave bring it to Linux? The real reason to be exited is that other Chromium browsers worth using will have this, not using this in Chrome. No?
Won’t Brave bring it to Linux?
But how if the hardware that is needed is not activated or better said available for the program or you device just does not have the required hardware (SecureBoot + TPM2.0)?
Ah, didn’t think of that. Good point. I think I understand how it works better now.