Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Google's Device-Bound Session Credentials: The End of Session Hijacking?

2025-08-28

Session hijacking has long been a major threat to online security. Traditional cookie-based session management is vulnerable, leaving systems open to attack. To combat this, Google has introduced Device-Bound Session Credentials (DBSC), leveraging public-key cryptography. DBSC generates a key pair for each session, securely stored on the device (e.g., using TPM on Windows). This renders session identifiers useless on other devices, effectively preventing hijacking. Currently in beta for Google Workspace Chrome users (Windows), widespread adoption by other browser vendors could finally make session hijacking a relic of the past.

Read more
(www.feistyduck.com)
Tech session hijacking public-key cryptography

The Demise of OCSP: Let's Encrypt Pulls the Plug

2025-01-30

Let's Encrypt's decision to discontinue OCSP support signals the end of an era for this 25-year-old certificate revocation checking technology. Plagued by poor browser implementation and high costs, OCSP failed to deliver significant security improvements. The future involves shorter-lived certificates (e.g., 6-day validity) and a revised CRL approach handled by browser vendors. While niche uses of OCSP might persist, its widespread adoption is over.

Read more
(www.feistyduck.com)
Tech certificate revocation