Browse Definitions :
Definition

POODLE Attack

What is a POODLE attack?

The POODLE attack, also known as CVE-2014-3566, is an exploit used to steal information from secure connections, including cookies, passwords and any of the other type of browser data that gets encrypted as a result of the secure sockets layer (SSL) protocol.

In October 2014, the United States Computer Emergency Readiness Team (US-CERT) issued an advisory about a vulnerability associated with the encryption that protects internet traffic. The security flaw, POODLE (Padding Oracle On Downgraded Legacy Encryption), allows attackers to decrypt network traffic between a client and a server.

SSL 3.0 and SSL 2.0, older versions of the Transport Layer Security (TLS) protocol used to encrypt and authenticate data sent over the internet, are vulnerable to POODLE attacks. In addition, while the industry deprecated these protocols -- replacing them with newer and more secure TLS connections -- a small number of browsers still support SSL. An attacker attempting to exploit POODLE can force these browsers to downgrade to SSL 3.0 when TLS is unavailable by inserting themselves into the communication session.

Transport layer at Layer 4 of the OSI communications model
Open Systems Interconnection (OSI) communications model positions the transport layer at Layer 4, where it ensures the reliable arrival of messages across a network, checks for errors and provides data flow controls.

How do POODLE attacks work?

The POODLE security flaw enables a man-in-the-middle (MiTM) attacker to eavesdrop on supposedly secure communications. This means attackers can exploit POODLE to steal users' private information and -- possibly -- impersonate the user, resulting in the user losing control over the exploited web application.

A POODLE attack is not simple to employ and requires success at each of the following three stages:

  1. In the initial stage, an attacker gains access to victims' sensitive data by performing a successful MiTM attack. An MiTM attack is a form of active eavesdropping where an attacker surreptitiously inserts themselves between two parties communicating over the internet to intercept and relay messages to and from them. So, while the victims believe they are talking directly to each other over a private connection, the attacker is in fact controlling the entire conversation.

  2. During the second stage, the attacker forces the server to switch to SSL 3.0 protocol. They do this by continually dropping connections during the MiTM attack until the service switches to an older protocol if it is not possible to switch to a newer protocol such as TLS 1.2. This stage of the POODLE attack is known as the downgrade attack.

  3. Once the server switches to SSL 3.0, the attacker uses POODLE to retrieve information from encrypted packets. This means they can intercept the vulnerable client's session and view the information in unencrypted data as plaintext.

How to prevent and repair POODLE attacks

Any server that supports SSL 3.0 and older versions of TLS is vulnerable to a POODLE attack. Modern versions of TLS are safe, and today's browsers block sites that use old versions of TLS (1.0, 1.1). A server configured to support only newer protocols (TLS 1.2, 1.3) prevents the possibility of a POODLE attack.

What is the POODLE vulnerability?

The POODLE vulnerability impacts certain cipher suites defined within a security protocol, including TLS and SSL. Cipher suites are cryptographic algorithms and key exchange methods used to establish secure connections between a client and a server. When block ciphers encrypt cipher suites, a private and public key is generated using asymmetric encryption. The communication between the user and server uses the key for encryption.

The POODLE attack relies on victims using the least secure encryption mode possible: cipher-block chaining (CBC) mode. CBC mode is a message encryption mode for block ciphers. In this mode, each block is XORed with the previous ciphertext block before encryption. In cryptography, the XOR logical operator applied to two equal-length strings yields a result that has the same length as the operands.

What is padding?

In cryptography, padding -- the P in POODLE attack -- refers to data added to plaintext before encryption. Padding is necessary to prevent a cipher from being vulnerable to a known plaintext attack.

In the context of SSL/TLS (HTTPS) connections, padding ensures the length of the plaintext transmitted over an encrypted connection is a multiple of the cipher block size as required in block cipher algorithms. Cryptographers refer to the process of adding padding as "padding" or "padding oracle."

How a TLS (transport layer security) handshake works
The most widely deployed security protocol, Transport Layer Security (TLS) delivers authentication, privacy and data integrity between communicating computer applications.

A padding oracle on CBC mode encryption allows a passive attacker to decrypt ciphertext without knowing the encryption key or even the plaintext. The attacker modifies encrypted data, and the server responds with an error message indicating that either the padding or message authentication code (MAC) is incorrect. By knowing that the same plaintext was encrypted using the same initialization vector (IV), an attacker is able to determine the plaintext bytes size with a high probability.

MAC-then-encrypt. The SSL/TLS protocol secures data exchanged over the network and ensures the integrity of data in transit. MAC, on the other hand, is a cryptographic technique -- sometimes referred to as a cryptographic hash -- used to verify no one has altered a message. The MAC-then-encrypt process calculates and inserts the MAC value, then encrypts data and padding before sending it to another computer.

History of SSL and TLS protocols

SSL and TLS are both established protocols for encrypting connections over the internet. Created by Netscape in the early 1990s, SSL served as a way to secure communication over the internet and make sure that data was authentic. TLS today serves as a more secure replacement for SSL.

A timeline of SSL and TSL development:

  • SSL 2.0. Released in 1995, this version of SSL is now prohibited by the Internet Engineering Task Force (see RFC-6176).
  • SSL 3.0. Released in 1996, SSL 3.0 is deprecated, but a few browsers still support it (RFC-7568).
  • TLS 1.0. Released in 1999 and deprecated in 2020.
  • TLS 1.1. Released in 2006 and deprecated in 2020.
  • TLS 1.2. Released in 2008 and still has no security issues.
  • TLS 1.3. Released in 2018 and continues to be the main protocol used today without any known vulnerabilities.

Other SSL/TLS vulnerabilities

A POODLE attack is not the only SSL/TLS vulnerability. Others include the following:

BEAST attack (CVE-2011-3389) vulnerability is a form of MiTM attack that uses a CBC algorithm in order to exploit vulnerabilities in a browser's implementation of the SSL/TLS protocols.

SWEET32 attack (CVE-2016-2183) vulnerability is a plaintext recovery attack on 64-bit block ciphers in CBC mode.

This was last updated in April 2021

Continue Reading About POODLE Attack

SearchCompliance
  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

SearchSecurity
  • private key

    A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt ...

  • DOS (disk operating system)

    A DOS, or disk operating system, is an operating system that runs from a disk drive. The term can also refer to a particular ...

  • security token

    A security token is a physical or digital device that provides two-factor authentication for a user to prove their identity in a ...

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

SearchStorage
  • What is RAID 6?

    RAID 6, also known as double-parity RAID, uses two parity stripes on each disk. It allows for two disk failures within the RAID ...

  • VRAM (video RAM)

    VRAM (video RAM) refers to any type of random access memory (RAM) specifically used to store image data for a computer display.

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

Close