Poodle Attack and Disabling TLS1.0 and SSL 3 (Nov 29, 2016)

What is POODLE attack?

The POODLE attack stands for Padding Oracle On Downgraded Legacy Encryption, is a man-in-the-middle exploit which takes advantage of Internet and security software clients/' fallback to SSL 3.0.

POODLE can be used to target browser-based communication that relies on the Secure Sockets Layer (SSL) 3.0 protocol for encryption and authentication.The TLS protocol, Transport Layer Security, has replaced SSL for secure communication on the Internet, but many browsers will revert to SSL 3.0 when a TLS connection is unavailable. A man in the middle who wants to exploit POODLE takes advantage of this by inserting himself into the communication sessionand forcing the browser to use SSL 3.0. The attacker is then free to a exploit design flaw in SSL 3.0 that allows the padding data at the end of a block cipher to be changed so that the encryption cipher 
become less secure each time it is passed. 

How to prevent POODLE Attack?

To prevent a POODLE attack that forces a browser to degrade to SSL 3.0, administrators should check to see that their server software supportsthe latest version of TLS and is configured properly.

The only way to prevent POODLE attacks is to stop using SSL 3.0. Mozilla and Microsoft have responded by creating ways for end users to disable SSL 3.0 manuallyin Firefox and Internet Explorer (IE).

How to mitigate the risk?

The admin of the server has to disable SSL in favor of TLS for inbound connections to servers.Also you need to disable SSL in your web browsers.If you are a .net developer, whenever you initiate HTTPS connections with various services through System.Net.HttpWebRequest, these connections could bevulnerable to a MITM attack if they allow fallback from TLS to SSL. 

The allowed protocols for the System.Net.Security.SslStream class, are set globally for each AppDomain via the System.Net.ServicePointManager.SecurityProtocol property.

In .NET 4.5, the default value of this property is Ssl3 | Tls. You can use this line of code in C#:


This should be changed to Tls12, before you initiate any connections in your app:


If you are a .Net developer you may take a look at this too.

Back to All Articles