Editing Transport Layer Security (section)

===={{Anchor|POODLE}}POODLE attack====
{{Main|POODLE}}
On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes [[CBC mode of operation]] with SSL 3.0 vulnerable to a [[padding oracle attack|padding attack]] ({{CVE|2014-3566}}). They named this attack '''POODLE''' ('''Padding Oracle On Downgraded Legacy Encryption'''). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.<ref name="poodle_pdf">{{cite web|url=https://www.openssl.org/~bodo/ssl-poodle.pdf|title=This POODLE Bites: Exploiting The SSL 3.0 Fallback|author1=Bodo Möller, Thai Duong|author2=Krzysztof Kotowicz|name-list-style=amp|access-date=2014-10-15|url-status=live|archive-url=https://web.archive.org/web/20141014224443/https://www.openssl.org/~bodo/ssl-poodle.pdf|archive-date=2014-10-14}}</ref>

Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so{{citation needed|date=February 2015}}. Therefore, the man-in-the-middle can first conduct a [[version rollback attack]] and then exploit this vulnerability.<ref name="poodle_pdf"/>

On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.<ref name="poodleagain">{{cite web|url=https://www.imperialviolet.org/2014/12/08/poodleagain.html|title=The POODLE bites again|date=December 8, 2014|last=Langley|first=Adam|access-date=2014-12-08|url-status=live|archive-url=https://web.archive.org/web/20141208200653/https://www.imperialviolet.org/2014/12/08/poodleagain.html|archive-date=December 8, 2014}}</ref>