Theft of browser authentication cookies is a serious security problem. Cookies stolen, e.g., by copying from disk and transmitting to another machine the cookie jar of a web browser, can grant substantial, unauthorized account access to the thief. This disclosure describes techniques to protect cookies by creating a web platform based isolated service for an authentication domain. The isolated service creates an ongoing measurement of the on-origin actions taken to provide an attestation that the browser session in use is the one that the server has been interacting with. The isolated service runs as part of the browser using web workers, which is tamperproof from normal web platform APIs and does not depend on on-disk data. The techniques provide a generic mechanism for binding user sessions to a given browser without relying on explicit device identity in cryptographically deprived environments. By avoiding disk persistence of cookies, the techniques thwart both web and memory attacks.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Drewry, Will and Vasilev, Radoslav, "Web Workers for Software Attestation", Technical Disclosure Commons, (November 22, 2021)