Sit POODLE, sit! — Understanding the Recently Discovered POODLE Vulnerability

What is POODLE?

There are growing popular media reports on a new internet vulnerability discovered by Google engineers—POODLE (Padding Oracle On Downgrade Legacy Encryption).  It impacts communications between servers and clients where their current security protocol (Advanced SSL and/or TLS) is backward compatible with SSL v3—and older and generally less secure version of SSL.

What is the Risk?

The POODLE’s bark may be worse than its bite.  If exploited, POODLE would take the form of a “man in the middle” attack.  In general, the individual risks are fairly low since any exploit would require a combination of factors:
  • The client (user’s web browser) must be “stepping back” to broadcast in SSL v3
  • The site on the server must be hosting on an old SSL v3 certificate
  • There must be a “man in the middle” wiretapping or sniffing public Wi-Fi between the client and the server
  • Other, largely standard, security or attack prevention tools that might detect the increased traffic cannot be installed
  • The browser in use must not have employed the current proposed solution (According to Netcraft, Google Chrome has already deployed this solution)
All of these conditions must be met for the vulnerability to even be exposed.

Why Not Just Turn Off Server Support for SSL v3?

We believe that the risk of this vulnerability is relatively low—far lower than the potential disruption of business for our Small Business customers since it may interfere with some legitimate customer attempts to access their sites and eCommerce platforms.  Dedicated server and Enterprise customers can request that support for SSL v3 be discontinued for their environments upon request, however.
Ultimately, we suspect that the solution will be implemented client-side, at the browser.
References and Resources:
POODLE Google report. (
POODLE security vulnerability breaks SSLv3 secure browsing. (Forbes)
Google POODLE affects oodles. (Netcraft)
TLS fallback signaling cipher suite value for preventing protocol downgrade attacks. (