Google Research

Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web

21st USENIX Security Symposium, The USENIX Association (2012), pp. 317-332


Client authentication on the web has remained in the internet-equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with passwords and cookies.

In this paper, we propose to break this stalemate by presenting a fresh approach to public-key-based client authentication on the web. We describe a simple TLS extension that allows clients to establish strong authenti- cated channels with servers and to bind existing authen- tication tokens like HTTP cookies to such channels. This allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening client authentication considerably against a wide range of attacks.

We implemented our system in Google Chrome and Google’s web serving infrastructure, and provide a per- formance evaluation of this implementation.

Learn more about how we do research

We maintain a portfolio of research projects, providing individuals and teams the freedom to emphasize specific types of work