CloudBleed: Guess What? There was 0-day protection
About CloudBleed
If you aren’t familiar with CloudBleed, take a moment to read the following articles to get an understanding how it was found, what happened, and what PII/PCI data was (possibly) ...
Published Feb 27, 2017
Version 1.0
Chris888-
I would assume you are 100% correct about the actual volume of credential vs sessions that were inadvertently exposed based on basic math and this from CloudFlare:
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
Although, they do have 5 million websites--so how many HTTP requests do they actual see per second?
WebSafe's Application Layer Encryption is more about a risk based approach to security and not around compliance. You have to ask yourself what would have happened to your business had credentials been exposed? Is it a slap on the wrist? Does the CISO lose his or her job? The list goes on and on.
Did you mean Device-ID by chance? :) I would agree with you, Device-ID is a very elegant solution. If we put ourselves in the shoes of the bad guys and try to do a replay attack (session hijacking), it would fail. There are some 20+ environmental elements that Device-ID is able to hone in on. Unfortunately, I am not at liberty to discuss all of them (in fact, they won't tell me, ha!) but we look the browser version, screen resolution, time zone, plugins, fonts etc to make an exact finger print of the client. Take all of that into account, you'd be hard pressed to execute a successful replay attack.
I've personally attempted to circumvent Device-ID and WebSafe by using Burp Suite and have zero luck. Obviously, I am not the Alpha and Omega, but it is challenging enough that if I had hair I would have pulled it all out and given up.
Best regards, BD