Overview#The Poodle attack Exploits a flaw that is specific to SSLv3 with CBC-based Cipher Suites.
Poodle relies on an often overlooked feature of SSLv3: most padding bytes are ignored.
In TLS 1.0, the padding (bytes added in a record to make the length compatible with CBC Encryption, which only processes full blocks) is fully specified; all the bytes must have a specific value and the recipient checks that.
In SSLv3, padding byte contents are ignored, which allows an attacker to perform alterations that go mostly unnoticed. The alteration impact only non-applicative data, but can be used as a decryption oracle in a way vaguely similar to BEAST.
Resolution#The best Resolution we can find is to configure Servers to only allow TLS 1.1 or TLS 1.2.
More details can be read:#
More Information#There might be more information for this subject on one of the following:
- DirXML 220.127.116.11
- Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- Web Blog_blogentry_010415_1