CloudBleed: Guess What? There was 0-day protection

About CloudBleed If you aren’t familiar with CloudBleed, take a moment to read the following articles to get an understanding how it was found, what happened, and what PII/PCI data was (possibly) ...
Published Feb 27, 2017
Version 1.0
dcsecurity17
security
WebSafe
Brian_Deitch_11's avatar
Brian_Deitch_11
Historic F5 Account
Feb 28, 2017

Hi Chris888-

 

Replying from my mobile, hopefully I can articulate some decent thoughts here.

 

WebSafe is telling the client to encrypt the credentials on the fly via public/private keys. When an encrypted parameter is sent to WebSafe, it will decrypt it and send it (credentials in my example) to the web server. Does that make sense? And yes, you will need to call out which fields that need to be encrypted.

 

As for your question regarding Session replay is really two fold. We might be able to encrypt sessions via WebSafe (iRule possibly), I would have to lab it up to know for sure. I would recommend using WebSafe to protect credentials as it would be trivial to grab the clear text credentials and sign in.

 

As for mitigating a session replay, I know for sure that's a feature of ASM. We can prevent session hijacking. Any attempt to replay a session that's already been used will stick out like an orange hat with a green bill.

 

Good dialog, let's keep this going :)