Article 4 of 6: Understanding TLS Security Series
Understanding TLS attacks is essential for security professionals. This article covers the major attacks against TLS, organized by attack category: protocol attacks, cipher attacks, implementation attacks, and certificate attacks.
For each attack, we cover the theory (how it works), practical aspects (detection and tools), and reality (real-world impact and mitigation).
2026 Update: All attacks listed are mitigated by TLS 1.3. With 90%+ adoption in 2026, focus on ensuring TLS 1.3 is enabled and legacy protocols disabled.
Attack Categories Overview
| Category | Target | Examples |
|---|---|---|
| Protocol Attacks | TLS protocol design flaws | POODLE, BEAST, Logjam, FREAK |
| Cipher Attacks | Weak cryptographic algorithms | Sweet32, RC4 biases, Lucky13 |
| Implementation Attacks | Software bugs in TLS libraries | Heartbleed, ROBOT, goto fail |
| Certificate Attacks | PKI and trust model | DigiNotar, Symantec, hash collisions |
| Downgrade Attacks | Force weaker versions/ciphers | DROWN, version rollback |
1. POODLE Attack
POODLE (Padding Oracle On Downgraded Legacy Encryption), 2014 | CVE-2014-3566
Theory: How It Works
- Attacker forces downgrade from TLS to SSL 3.0
- SSL 3.0 CBC mode has flawed padding validation
- Attacker sends modified ciphertext, observes error responses
- After ~256 requests per byte, attacker recovers plaintext
Why It Works: SSL 3.0 only checks the last byte of padding, not the entire padding block. The attacker can distinguish valid vs invalid padding by server response.
Practical: Detection
# Check if SSL 3.0 is supported
openssl s_client -connect example.com:443 -ssl3
# Using nmap
nmap --script ssl-enum-ciphers -p 443 example.com
# Using testssl.sh
testssl.sh --poodle example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | HIGH. Session cookies can be stolen |
| Requirements | MITM position, victim makes many requests (JavaScript) |
| Affected | All servers supporting SSL 3.0 with CBC ciphers |
| Mitigation | Disable SSL 3.0 entirely (RFC 7568) |
| TLS 1.3 | NOT AFFECTED, SSL 3.0 not supported |
2. BEAST Attack
BEAST (Browser Exploit Against SSL/TLS), 2011 | CVE-2011-3389
Theory: How It Works
- Targets TLS 1.0 CBC mode with predictable IV
- IV for block N is ciphertext of block N-1 (predictable)
- Attacker injects chosen plaintext via JavaScript
- Compares ciphertext to guess secret values byte-by-byte
TLS 1.1+ fixed this by using random IV for each record, breaking the predictability.
Practical: Detection
# Check for TLS 1.0 with CBC
openssl s_client -connect example.com:443 -tls1 -cipher 'CBC'
# Using testssl.sh
testssl.sh --beast example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | MEDIUM. Requires specific conditions |
| Requirements | MITM, TLS 1.0, CBC cipher, same-origin bypass |
| Mitigation | Use TLS 1.2+, prefer AEAD ciphers (GCM) |
| Browser Fix | 1/n-1 record splitting workaround implemented |
| TLS 1.3 | NOT AFFECTED, no CBC ciphers |
3. Heartbleed
Heartbleed, 2014 | CVE-2014-0160
Theory: How It Works
- Bug in OpenSSL heartbeat extension (RFC 6520)
- Client sends heartbeat with claimed length (e.g., 64KB)
- Server copies that many bytes without bounds check
- Up to 64KB of server memory leaked per request
What Can Leak:
- Private keys (catastrophic)
- Session tokens and cookies
- User credentials
- Other users’ data in memory
Practical: Detection
# Using nmap
nmap -p 443 --script ssl-heartbleed example.com
# Check OpenSSL version
openssl version -a # Vulnerable: 1.0.1 through 1.0.1f
# Using testssl.sh
testssl.sh --heartbleed example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | CRITICAL. Private keys extractable |
| Scope | 17% of all HTTPS servers at disclosure (~500K) |
| Exploitability | Trivial, no authentication needed, leaves no logs |
| Mitigation | Update OpenSSL, revoke and reissue certificates |
| Key Lesson | Implementation bugs can be worse than protocol flaws |
4. Logjam Attack
Logjam, 2015 | CVE-2015-4000
Theory: How It Works
- MITM downgrades connection to export-grade DHE (512-bit)
- 512-bit DH can be broken in minutes with precomputation
- Many servers use same DH parameters (shared primes)
- NSA may have precomputed discrete log for common primes
1024-bit DH with common primes may be breakable by nation-state attackers who precompute discrete log tables.
Practical: Detection
# Check DH parameters size
openssl s_client -connect example.com:443 -cipher 'DHE' 2>&1 | grep 'Server Temp Key'
# Check for export ciphers
nmap --script ssl-enum-ciphers -p 443 example.com | grep EXPORT
# Using testssl.sh
testssl.sh --logjam example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | HIGH. Active MITM can decrypt traffic |
| Affected | 8.4% of top 1M sites supported DHE_EXPORT |
| Mitigation | Disable export ciphers, use 2048-bit DH or ECDHE |
| TLS 1.3 | NOT AFFECTED, no DHE_EXPORT, ECDHE only |
5. Sweet32 Attack
Sweet32 (Birthday Attack on Block Ciphers), 2016 | CVE-2016-2183
Theory: How It Works
- Birthday attack on 64-bit block ciphers (3DES, Blowfish)
- After 2^32 blocks (~32GB), collision likely
- Collision reveals XOR of two plaintext blocks
- With known plaintext, can recover secrets
Practical attack requires ~785GB of captured traffic but is feasible for long-lived connections.
Practical: Detection
# Check for 3DES support
openssl s_client -connect example.com:443 -cipher '3DES'
# Using nmap
nmap --script ssl-enum-ciphers -p 443 example.com | grep -i 'des'Reality: Impact
| Impact | Details |
|---|---|
| Severity | MEDIUM. Requires large traffic volume |
| Practical | ~38 hours of traffic capture needed |
| Mitigation | Disable 3DES, use AES (128-bit blocks) |
| TLS 1.3 | NOT AFFECTED, 3DES removed |
6. ROBOT Attack
ROBOT (Return Of Bleichenbacher’s Oracle Threat), 2017 | CVE-2017-13099
Theory: How It Works
- Targets RSA key exchange (PKCS#1 v1.5 padding)
- Server reveals if padding is valid via timing/errors
- Attacker sends modified ciphertexts, observes oracle
- Can forge signature or decrypt pre-master secret
This is the same Bleichenbacher attack from 1998, rediscovered because vendors failed to implement countermeasures correctly.
Practical: Detection
# Check for RSA key exchange ciphers
openssl s_client -connect example.com:443 -cipher 'RSA' 2>&1 | grep Cipher
# Using ROBOT scanner
python robot-detect.py -q example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | HIGH. Can decrypt or forge signatures |
| Affected | Facebook, PayPal, F5, Cisco, Citrix at disclosure |
| Mitigation | Disable RSA key exchange entirely |
| TLS 1.3 | NOT AFFECTED, RSA key exchange removed |
7. DROWN Attack
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), 2016 | CVE-2016-0800
Theory: How It Works
- Server shares RSA key between TLS and SSLv2
- Attacker captures TLS traffic (modern)
- Uses SSLv2 oracle to decrypt RSA pre-master secret
- Decrypts captured TLS session
SSLv2 on ANY server sharing the key makes ALL servers using that key vulnerable.
Practical: Detection
# Check for SSLv2 support
openssl s_client -connect example.com:443 -ssl2
# Using testssl.sh
testssl.sh --drown example.comReality: Impact
| Impact | Details |
|---|---|
| Severity | CRITICAL. Passive decryption of TLS traffic |
| Scope | 33% of all HTTPS servers affected |
| Mitigation | Disable SSLv2 everywhere, use unique keys |
| Key Lesson | Legacy protocol on any server compromises all |
Attack Summary Matrix
| Attack | Year | Target | Mitigation | TLS 1.3 |
|---|---|---|---|---|
| POODLE | 2014 | SSL 3.0 CBC | Disable SSL 3.0 | Safe |
| BEAST | 2011 | TLS 1.0 CBC IV | Use TLS 1.2+ | Safe |
| Heartbleed | 2014 | OpenSSL bug | Update OpenSSL | N/A |
| Logjam | 2015 | Export DHE | 2048-bit DH | Safe |
| FREAK | 2015 | Export RSA | Disable export | Safe |
| Sweet32 | 2016 | 64-bit blocks | Disable 3DES | Safe |
| DROWN | 2016 | SSLv2 + RSA | Disable SSLv2 | Safe |
| ROBOT | 2017 | RSA PKCS#1 | Disable RSA KE | Safe |
| Lucky13 | 2013 | CBC timing | Use AEAD | Safe |
Comprehensive Scan Command
# testssl.sh - comprehensive TLS vulnerability scan
testssl.sh --poodle --heartbleed --robot example.com
# nmap scripts
nmap --script ssl-heartbleed,ssl-poodle -p 443 example.comKey Takeaways
- Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
- Disable RSA key exchange, use ECDHE only
- Disable CBC ciphers, use AEAD (GCM) only
- Disable 3DES, RC4, export ciphers
- Keep TLS libraries updated (Heartbleed lesson)
- Use unique keys per service (DROWN lesson)
- TLS 1.3 eliminates most attack vectors
Previous: Article 3: TLS 1.3: The Modern Standard
Next: Article 5: Man-in-the-Middle Attacks
This is part of our 6-article series on Understanding TLS Security.
We actively test for these TLS attack vectors during our Web Application Pentest and IoT Pentest engagements, including downgrade attacks, certificate validation, and cipher suite weaknesses. Get a free security snapshot or view pricing.