Muah ha haaa!
Finally, someone willing to acknowledge that the fluid, murky quicksand of security-through-obscurity can demonstrate an occasional amount of utility, when planned as a known quantity within one’s security stance.
I thought heartbleed allowed you to read private memory from the server, I don’t see how transforming the data stream would have protected you from that like they are suggesting? You would have to obscure the data at rest for that to work.
It protects you from automated attacks, since your server no longer speaks TLS. If someone’s automated script tries to open a regular TLS connection it gets XORed into garbage and ignored and they move on to a new target.
Oh I see. I was thinking under TLS, not over it. That makes more sense.