POODLE attack
E737309
cryptographic attack
man-in-the-middle attack
padding oracle attack
transport layer security vulnerability
The POODLE attack is a cryptographic vulnerability that exploits weaknesses in SSL 3.0’s CBC mode to decrypt secure HTTPS communications.
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
cryptographic attack
ⓘ
man-in-the-middle attack ⓘ padding oracle attack ⓘ transport layer security vulnerability ⓘ |
| abbreviation | POODLE NERFINISHED ⓘ |
| affectedSoftware |
web browsers that supported SSL 3.0
ⓘ
web servers that supported SSL 3.0 ⓘ |
| affectsProtocol |
SSL 3.0
NERFINISHED
ⓘ
TLS (when TLS is downgraded to SSL 3.0) ⓘ |
| announcedBy |
Bodo Möller
NERFINISHED
ⓘ
Google security researchers NERFINISHED ⓘ Krishna Bhargavan NERFINISHED ⓘ Thai Duong NERFINISHED ⓘ |
| attackVector |
active network interception
ⓘ
induced repeated requests with controlled plaintext ⓘ |
| category |
TLS/SSL vulnerability
ⓘ
web security vulnerability ⓘ |
| CVEIdentifier | CVE-2014-3566 ⓘ |
| disclosedOn | 2014-10-14 ⓘ |
| enables |
decryption of parts of HTTPS traffic
ⓘ
recovery of authentication tokens ⓘ recovery of secure cookies ⓘ |
| exploits |
CBC mode weaknesses in SSL 3.0
ⓘ
padding oracle in block cipher mode ⓘ |
| fullName | Padding Oracle On Downgraded Legacy Encryption NERFINISHED ⓘ |
| impact |
confidentiality of encrypted data
ⓘ
integrity of secure cookies ⓘ session security of HTTPS websites ⓘ |
| mitigation |
avoid protocol downgrades to SSL 3.0
ⓘ
disable SSL 3.0 support on clients ⓘ disable SSL 3.0 support on servers ⓘ implement TLS_FALLBACK_SCSV ⓘ use modern TLS versions only ⓘ |
| namedAfter | poodle (dog breed) ⓘ |
| publishedIn | Security Advisory by Google NERFINISHED ⓘ |
| reasonForName | acronym for Padding Oracle On Downgraded Legacy Encryption ⓘ |
| relatedTo |
BEAST attack
NERFINISHED
ⓘ
Lucky Thirteen attack NERFINISHED ⓘ protocol downgrade attacks ⓘ |
| requires |
ability to trigger multiple HTTPS requests by the victim
ⓘ
man-in-the-middle network position ⓘ support for SSL 3.0 on client and server ⓘ |
| securityPropertyViolated | confidentiality of TLS/SSL sessions ⓘ |
| standardResponse |
deprecation of SSL 3.0 in major browsers
ⓘ
removal of SSL 3.0 support from many servers ⓘ |
| targets |
HTTPS connections
ⓘ
TLS/SSL sessions that can be downgraded to SSL 3.0 ⓘ encrypted web traffic ⓘ |
| vulnerableCipherMode | CBC (Cipher Block Chaining) NERFINISHED ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.