Akamai Diversity

The Akamai Blog

Excerpt: How POODLE Happened

The following is an excerpt from Akamai Security Researcher Daniel Franke's blog post on the POODLE vulnerability.  

Bodo Möller, Thai Duong, and Krzysztof Kotowicz have just broken the internet again with POODLE, a new and devastating attack against SSL. POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption, permits a man-in-the-middle attacker to rapidly decrypt any browser session which utilizes SSL v3.0 -- or, as is generally the case, any session which can be coerced into utilizing it. POODLE is a death blow to this version of the protocol; it can only reasonably be fixed by disabling SSL v3.0 altogether.

This post is meant to be a "simple as possible, but no simpler" explanation of POODLE. I've tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we've known better for over a decade.

For the full post, please visit Franke's blog

Leave a comment