The POODLE Attack
To work with legacy servers, many TLS clients implement a downgrade dance: in a first
handshake attempt, offer the highest protocol version supported by the client; if this
handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper
protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say,
TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers.
So if an attacker that controls the network between the client and the server interferes with
any attempted handshake offering TLS 1.0 or later, such clients will readily confinethemselves to SSL 3.0.
Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
RC4 is well known to have biases [RC4biases], meaning that if the same secret (such as
a password or HTTP cookie) is sent over many connections and thus encrypted with many
RC4 streams, more and more information about it will leak. We show here how to put
together an effective attack against CBC encryption as used by SSL 3.0, again assuming
that the attacker can modify network transmissions between the client and the server.
Unlike with the BEAST [BEAST] and Lucky 13 [Lucky13] attacks, there is no reasonable
workaround. This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure
encryption, SSL 3.0 must be avoided entirely.
read more here:https://www.openssl.org/~bodo/ssl-poodle.pdf