POODLE (CVE-2014-3566)

POODLE is the padding-oracle attack against SSL 3.0 that forced the industry to disable the legacy protocol globally in 2014.

Definition

POODLE (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566) is an attack against SSL 3.0's CBC-mode block ciphers. The protocol's padding format leaks information about decrypted bytes when an attacker can trigger many decryptions; a man-in-the-middle attacker downgrades a victim's connection to SSL 3.0 and then steals cookies one byte at a time. The disclosure pushed the industry to disable SSL 3.0 globally — modern TLS deployments do not negotiate it at all.

Mitigation

Disable SSL 3.0 in every TLS-capable client and server. Modern stacks already do this by default.

See also

References