October 16, 2014
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where the data is being sent across an insecure network, such as checking an email. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in-fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0, where TLS v1.0 is marginally more secure than SSL v3.0.
Google’s Security team discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability is known as POODLE (Padding Oracle On Downgraded Legacy Encryption).
By exploiting this vulnerability, an attacker can gain access to passwords and cookies, by enabling the user to access a private data on a website.
The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this feebleness to de-cipher an individual byte, time of the encrypted data, and extract the plain text of the message byte by byte.