There are details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. This issue was discovered in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).
SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore the recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Google Chrome and other servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly. In the coming months, Google hopes to remove support for SSL 3.0 completely from our client products.
Poodle Attack (Padding Oracle On Downgraded Legacy Encryption)
Poodle Attack allows a attacker to steal “secure” HTTP cookies, authorization tokens and other data from the victim. The bug lies in the obsolete SSL3.0 which is most commonly not used these days, however Incase of a failed connection caused by a network attacker the browsers with new protocols will also try older protocol version including SSL 3.0
To work with legacy servers, many TLS clients implement a downgrade dance, in a first handshake attempt, offer the highest protocol version supported by the client, if this handshake fails, retry with older protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, Google said.
