SSL/TLS Vulnerabilities: What You Need to Know
Over the years, researchers have discovered several critical vulnerabilities in SSL/TLS implementations. Understanding these vulnerabilities helps you protect your servers and users.
A Decade of Notable Vulnerabilities
The big SSL/TLS attacks cluster around 2011–2017, as researchers probed legacy protocols and weak ciphers. Each one led to a deprecation or a configuration default change:
The Attacks at a Glance
Eight flaws, grouped by what they break. Read on for the detail and the fix for each:
Heartbleed
An OpenSSL heartbeat bug that leaks up to 64KB of server memory — including private keys.
POODLE
Exploits SSL 3.0 CBC padding to decrypt secure cookies and hijack sessions.
BEAST
Chosen-plaintext attack on TLS 1.0 CBC ciphers that recovers HTTPS cookies.
DROWN
Uses a stray SSLv2 endpoint to break modern TLS sharing the same RSA key.
FREAK
Downgrades connections to factorable 512-bit "export-grade" RSA keys.
Logjam
Forces weak 512-bit Diffie-Hellman groups, then breaks them in real time.
ROBOT
A revived Bleichenbacher oracle that decrypts RSA key-exchange sessions.
Sweet32
A birthday attack on 64-bit block ciphers (3DES, Blowfish) over long-lived connections.
Heartbleed (CVE-2014-0160)
Heartbleed is a serious vulnerability in OpenSSL's implementation of the TLS heartbeat extension. It allows attackers to read memory from affected servers, potentially exposing:
- Private keys used for SSL certificates
- User passwords and session tokens
- Sensitive data in server memory
How It Works
The heartbeat extension lets one end of a connection send a "heartbeat" message. The receiver must echo back the same data. The bug allowed attackers to request more data than they sent, causing the server to leak up to 64KB of memory per request.
Protection
- Update OpenSSL to version 1.0.1g or later.
- Replace SSL certificates after patching — private keys may have leaked.
- Reset user passwords if you were affected.
- Keep serving the old certificate — its private key is now untrustworthy.
- Assume "patched" means "safe" without rotating keys and sessions.
POODLE (CVE-2014-3566)
POODLE (Padding Oracle On Downgraded Legacy Encryption) exploits a flaw in SSL 3.0's use of CBC-mode ciphers. It allows attackers to decrypt secure cookies, potentially hijacking user sessions.
How It Works
SSL 3.0 doesn't properly validate padding in CBC mode. By manipulating encrypted traffic, an attacker can gradually reveal plaintext data one byte at a time.
Protection
- Disable SSL 3.0 entirely on your servers
- Use TLS 1.2 or TLS 1.3 instead
- Enable TLS_FALLBACK_SCSV to prevent protocol downgrade attacks
BEAST (CVE-2011-3389)
BEAST (Browser Exploit Against SSL/TLS) targets TLS 1.0's use of CBC ciphers. It allows attackers to decrypt HTTPS cookies through a chosen-plaintext attack.
How It Works
TLS 1.0 uses the last ciphertext block as the IV for the next block, making it predictable. Combined with browser exploits (like Java applets), attackers can deduce encrypted content.
Protection
- Disable TLS 1.0 where possible and use TLS 1.2 or TLS 1.3
- Do not use RC4 (deprecated and insecure since 2015)
- Prefer AEAD cipher suites (AES-GCM, ChaCha20-Poly1305)
- Modern browsers include client-side mitigations, but server-side fixes are more reliable
DROWN (CVE-2016-0800)
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to decrypt TLS connections if SSLv2 is enabled anywhere on the server.
How It Works
Even if your main site uses TLS 1.2, having SSLv2 enabled (even on a different port) can be exploited to break the encryption of modern connections using the same RSA key.
Protection
- Disable SSLv2 completely on all servers and ports
- Don't share RSA keys across servers with different SSL configurations
- Update OpenSSL to a version that disables SSLv2 by default
FREAK (CVE-2015-0204)
FREAK (Factoring RSA Export Keys) exploits servers that still support "export-grade" cryptography - deliberately weakened encryption from the 1990s.
How It Works
Attackers can force a downgrade to weak 512-bit RSA keys, which can be factored within hours using modern computing power.
Protection
- Disable all export cipher suites
- Use only strong cipher suites with 2048-bit or larger keys
- Regularly audit your cipher configuration
Logjam (CVE-2015-4000)
Logjam attacks the Diffie-Hellman key exchange, specifically targeting weak 512-bit and 1024-bit parameters.
How It Works
Attackers can downgrade connections to 512-bit DH groups, then perform a precomputation attack to break the encryption in real-time.
Protection
- Use 2048-bit or larger Diffie-Hellman parameters
- Disable export cipher suites
- Prefer ECDHE (Elliptic Curve) over DHE
- Generate custom DH parameters:
openssl dhparam -out dhparams.pem 2048
ROBOT (Return Of Bleichenbacher's Oracle Threat, 2017)
ROBOT is a modernised form of the 1998 Bleichenbacher attack against TLS implementations using RSA encryption key exchange (RSA key transport). It allows an attacker to passively decrypt recorded TLS sessions or sign messages with the server's private key — without ever obtaining the key itself.
How It Works
Affected TLS stacks reveal — through error messages or timing — whether a tampered RSA ciphertext decrypts to valid PKCS#1 v1.5 padding. Repeating this query as an "oracle" lets the attacker recover the plaintext premaster secret for any captured session, breaking forward-secrecy-less RSA key exchange.
Protection
- Disable all RSA key-exchange cipher suites (any cipher beginning with
TLS_RSA_WITH_…) - Use only ECDHE/DHE cipher suites — they provide forward secrecy and aren't vulnerable
- TLS 1.3 removes RSA key transport entirely, so deployments restricted to TLS 1.3 are not affected
Sweet32 (CVE-2016-2183)
Sweet32 is a birthday attack against 64-bit block ciphers like 3DES and Blowfish in TLS connections.
How It Works
After capturing enough encrypted data (about 32GB), attackers can find collisions in the cipher blocks and recover parts of the plaintext.
Protection
- Disable 3DES and Blowfish ciphers
- Use AES-128 or AES-256 instead (128-bit block size)
- Update your cipher suite preferences
Vulnerability Summary Table
| Vulnerability | Severity | Affected | Fix |
|---|---|---|---|
| Heartbleed | Critical | OpenSSL 1.0.1-1.0.1f | Update OpenSSL |
| POODLE | High | SSL 3.0 | Disable SSL 3.0 |
| BEAST | Medium | TLS 1.0 with CBC | Use TLS 1.2+ |
| DROWN | High | SSLv2 enabled | Disable SSLv2 |
| FREAK | High | Export ciphers | Disable export ciphers |
| Logjam | High | Weak DH parameters | Use 2048-bit DH |
| ROBOT | High | RSA key-exchange ciphers | Disable RSA-KEX; prefer ECDHE / TLS 1.3 |
| Sweet32 | Medium | 3DES, Blowfish | Disable 64-bit ciphers |
Test Your Server Now
Don't wait until you're compromised. Use our free SSL scanner to check if your server is vulnerable to any of these attacks.