Preventing token theft

18 points by Foxboron


valpackett

[With DBSC] you only need to do signing once per cookie per cookie lifetime, and not on every single request. I don’t like this due to the window where exfiltrated tokens can be used

Signing / cookie rotation should definitely be forced on every user IP address change.. That would at least make "hit and run" exfiltration near impossible and force the attacker to stay active on the compromised device which could uhh at least somewhat improve detection I guess?

apromixately

Excellent collection of different approaches!

Note, I think DBSC is just designed wrong.

  1. Why does it allow a window for cookies to be re-used? It could just add another layer of keys and sign every request with a key signed by the TPM key. This avoids all the TPM slowness and is transparent to the server, so if you have a really fast TPM you can just put the second key in there as well and be perfectly protected.
  2. Plus, if you sign every request you can completely get rid of the complexity of aligning the update machinery with the rest of HTTP. Meaning, you don't have to sometimes stall requests and run a cookie update first like in DBSC.

DBSC was an interesting idea: What if we just rotate cookies on the client and all the way back in the backend and we don't have to change anything else? So the backend needs an additional service but otherwise doesn't have to change. Everything else just keeps dealing with cookies.

But it turned out that it's not actually that simple, because this means that when you send a cookie you already have to be sure that it's the right one so now we have this complicated additional machinery that updates the DBSC cookies at magic times and if it didn't well, we will have to stop the HTTP request.