Not too long ago, the so-called POODLE vulnerability made the headlines within the cybersecurity community. POODLE was able to take advantage of the Secure Socket Layer version 3 (SSL 3) and execute a Man-in-the-Middle attack.
The original POODLE attack was able to bypass the secure layer of communication. If executed successfully, the attackers, on average, needed to make 256 SSL 3 requests to discover 1 byte of encrypted information. Therefore, to reveal an 8 byte cookie, the attackers need to only make 2048 requests on average. Browsers, including Google Chrome and Firefox, have since disabled support for the ancient, 18 year-old SSL 3.
This time, POODLE bites the TLS protocol. Even though TLS’s padding is much stricter than SSL 3, the attack is made possible “because some TLS implementations omit to check the padding structure after decryption,” states Qualys in a blog post. “If an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections,” Adam Langley of Google explains in a post detailing the mechanics of the POODLE attack. Langley also points out that many major websites are affected by this vulnerability and points out that “everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken.”