POODLE (Padding Oracle On Downgraded Legacy Encryption)

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a security flaw that can be exploited to conduct a man-in-the-middle attack that targets Web browser-based communication between clients and servers using Secure Sockets Layer (SSL) 3.0.

While Transport Layer Security (TLS) is now more widely used, popular Web browsers such as Mozilla Firefox and Google Chrome commonly revert to SSL 3.0 when a TLS connection is unavailable. In these cases, SSL 3.0 uses the RC4 encryption cipher and allows attackers to break through the encryption and access the contents of HTTPS cookies. In certain circumstances, attackers can exploit POODLE to decrypt Web browser authentication cookies and reveal potentially sensitive information. However, to do this, an attacker must achieve a man-in-the-middle position between the client and the server through a separate exploit. In nearly all cases it also requires the client browser to have JavaScript enabled.

OpenSSL released a patch for POODLE in October 2014 to assist in the mitigation of the vulnerability. The only other technique for preventing POODLE attacks is to stop the use of SSL 3.0 altogether.


This was last updated in October 2014

Continue Reading About POODLE (Padding Oracle On Downgraded Legacy Encryption)

Dig Deeper on Threats and vulnerabilities