[cabfpub] SSLv3 - Poodle Attack

Ben Wilson ben.wilson at digicert.com
Tue Oct 14 23:28:22 UTC 2014

Since I hinted at it earlier today, FWIW here is the news -


Poodle stands for "Padding Oracle On Downgraded Legacy  Encryption".
CVE-2014-3566 has been reserved for this protocol vulnerability (no
additional information is available yet at


The attack works by interfering with the establishment of a TLS connection.
A client will quickly downgrade to SSLv3, which uses either the RC4 stream
cipher (subject to information leakage) or a block cipher in CBC mode
(subject to information leakage via the Poodle attack).  


As I understand the explanation, the man-in-the-middle decrypts the block
ciphers by first padding a block with known values and then chipping away
until the secure cookie (or other authentication data) is fully decrypted. 


If disabling SSLv3 is not feasible due to legacy system issues, the paper
suggests a few mitigations, such as using TLS_FALLBACK_SCSV to prevent a
downgrade in the first place.


"This use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a
legacy  implementation is involved: attackers can no longer force a protocol
downgrade. (Attacks  remain possible if both parties allow SSL 3.0 but one
of them is not updated to support  TLS_FALLBACK_SCSV, provided that the
client implements a downgrade dance down to  SSL 3.0.) "

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141014/2295cd7b/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141014/2295cd7b/attachment.p7s>

More information about the Public mailing list