Technical Deep-Dives

TLS Attacks and Vulnerabilities: A Pro Guide

Major TLS attacks explained: POODLE, BEAST, Heartbleed, Logjam, Sweet32, ROBOT, and DROWN. Detection methods, real-world impact, and mitigations.

RG&T
Rathnakara GN & Theertha
Cybersecify
9 min read

Article 4 of 6: Understanding TLS Security Series

Major TLS attacks fall into five categories: protocol attacks (POODLE 2014, BEAST 2011, Logjam 2015, FREAK 2015), cipher attacks (Sweet32 2016, RC4 biases, Lucky13 2013), implementation attacks (Heartbleed 2014, ROBOT 2017, goto fail), certificate attacks (DigiNotar 2011, Symantec 2017), and downgrade attacks (DROWN 2016). Every attack in this list is mitigated by TLS 1.3. With 90%+ adoption in 2026, the defensive priority is enabling TLS 1.3 and disabling legacy protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1) plus weak ciphers (RSA key exchange, CBC mode, 3DES, RC4, export ciphers). Test with testssl.sh, nmap ssl-enum-ciphers, and SSL Labs.

Key findings

  • TLS 1.3 eliminates every attack vector in this article. No CBC, no RSA key exchange, no export ciphers, no SSLv2/3 compatibility, no plaintext certificate. Enabling TLS 1.3 is the highest-leverage TLS hardening action.
  • POODLE (2014, CVE-2014-3566) exploits SSL 3.0 CBC padding validation. Mitigation is to disable SSL 3.0 entirely per RFC 7568.
  • Heartbleed (2014, CVE-2014-0160) leaked up to 64KB of server memory per request including private keys, affecting 17% of HTTPS servers at disclosure. Implementation bug in OpenSSL 1.0.1 through 1.0.1f, not a protocol flaw.
  • Logjam (2015, CVE-2015-4000) downgraded connections to export-grade 512-bit DHE. Even 1024-bit DH with common primes may be breakable by nation-state precomputation.
  • DROWN (2016, CVE-2016-0800) decrypts modern TLS by using SSLv2 oracle on any server sharing the same RSA key. 33% of HTTPS servers affected at disclosure. Key lesson: a legacy protocol on any server compromises all servers sharing the key.
  • ROBOT (2017, CVE-2017-13099) is Bleichenbacher’s 1998 RSA PKCS#1 v1.5 padding oracle attack rediscovered. Affected Facebook, PayPal, F5, Cisco, Citrix. Mitigation is to disable RSA key exchange entirely.
  • Sweet32 (2016, CVE-2016-2183) is a birthday attack on 64-bit block ciphers (3DES, Blowfish). Practical with ~785GB captured traffic. Disable 3DES; use AES (128-bit blocks).

Cybersecify is a founder-led penetration testing and security consulting firm based in Bengaluru, India, serving AI-first and API-first SaaS startups. We test these attack classes in production pentest engagements, including downgrade attacks, certificate validation, cipher suite weaknesses, and library version exposure. For an example of the pentest deliverable that documents these findings, see our SOC 2 + ISO 27001 ready pentest report sample.

Understanding TLS attacks is essential for security professionals. This article covers the major attacks against TLS, organized by attack category: protocol attacks, cipher attacks, implementation attacks, and certificate attacks.

For each attack, we cover the theory (how it works), practical aspects (detection and tools), and reality (real-world impact and mitigation).

2026 Update: All attacks listed are mitigated by TLS 1.3. With 90%+ adoption in 2026, focus on ensuring TLS 1.3 is enabled and legacy protocols disabled.

Attack Categories Overview

CategoryTargetExamples
Protocol AttacksTLS protocol design flawsPOODLE, BEAST, Logjam, FREAK
Cipher AttacksWeak cryptographic algorithmsSweet32, RC4 biases, Lucky13
Implementation AttacksSoftware bugs in TLS librariesHeartbleed, ROBOT, goto fail
Certificate AttacksPKI and trust modelDigiNotar, Symantec, hash collisions
Downgrade AttacksForce weaker versions/ciphersDROWN, version rollback

1. POODLE Attack

POODLE (Padding Oracle On Downgraded Legacy Encryption), 2014 | CVE-2014-3566

Theory: How It Works

  1. Attacker forces downgrade from TLS to SSL 3.0
  2. SSL 3.0 CBC mode has flawed padding validation
  3. Attacker sends modified ciphertext, observes error responses
  4. After ~256 requests per byte, attacker recovers plaintext

Why It Works: SSL 3.0 only checks the last byte of padding, not the entire padding block. The attacker can distinguish valid vs invalid padding by server response.

Practical: Detection

# Check if SSL 3.0 is supported
openssl s_client -connect example.com:443 -ssl3

# Using nmap
nmap --script ssl-enum-ciphers -p 443 example.com

# Using testssl.sh
testssl.sh --poodle example.com

Reality: Impact

ImpactDetails
SeverityHIGH. Session cookies can be stolen
RequirementsMITM position, victim makes many requests (JavaScript)
AffectedAll servers supporting SSL 3.0 with CBC ciphers
MitigationDisable SSL 3.0 entirely (RFC 7568)
TLS 1.3NOT AFFECTED, SSL 3.0 not supported

2. BEAST Attack

BEAST (Browser Exploit Against SSL/TLS), 2011 | CVE-2011-3389

Theory: How It Works

  1. Targets TLS 1.0 CBC mode with predictable IV
  2. IV for block N is ciphertext of block N-1 (predictable)
  3. Attacker injects chosen plaintext via JavaScript
  4. Compares ciphertext to guess secret values byte-by-byte

TLS 1.1+ fixed this by using random IV for each record, breaking the predictability.

Practical: Detection

# Check for TLS 1.0 with CBC
openssl s_client -connect example.com:443 -tls1 -cipher 'CBC'

# Using testssl.sh
testssl.sh --beast example.com

Reality: Impact

ImpactDetails
SeverityMEDIUM. Requires specific conditions
RequirementsMITM, TLS 1.0, CBC cipher, same-origin bypass
MitigationUse TLS 1.2+, prefer AEAD ciphers (GCM)
Browser Fix1/n-1 record splitting workaround implemented
TLS 1.3NOT AFFECTED, no CBC ciphers

3. Heartbleed

Heartbleed, 2014 | CVE-2014-0160

Theory: How It Works

  1. Bug in OpenSSL heartbeat extension (RFC 6520)
  2. Client sends heartbeat with claimed length (e.g., 64KB)
  3. Server copies that many bytes without bounds check
  4. Up to 64KB of server memory leaked per request

What Can Leak:

  • Private keys (catastrophic)
  • Session tokens and cookies
  • User credentials
  • Other users’ data in memory

Practical: Detection

# Using nmap
nmap -p 443 --script ssl-heartbleed example.com

# Check OpenSSL version
openssl version -a  # Vulnerable: 1.0.1 through 1.0.1f

# Using testssl.sh
testssl.sh --heartbleed example.com

Reality: Impact

ImpactDetails
SeverityCRITICAL. Private keys extractable
Scope17% of all HTTPS servers at disclosure (~500K)
ExploitabilityTrivial, no authentication needed, leaves no logs
MitigationUpdate OpenSSL, revoke and reissue certificates
Key LessonImplementation bugs can be worse than protocol flaws

4. Logjam Attack

Logjam, 2015 | CVE-2015-4000

Theory: How It Works

  1. MITM downgrades connection to export-grade DHE (512-bit)
  2. 512-bit DH can be broken in minutes with precomputation
  3. Many servers use same DH parameters (shared primes)
  4. NSA may have precomputed discrete log for common primes

1024-bit DH with common primes may be breakable by nation-state attackers who precompute discrete log tables.

Practical: Detection

# Check DH parameters size
openssl s_client -connect example.com:443 -cipher 'DHE' 2>&1 | grep 'Server Temp Key'

# Check for export ciphers
nmap --script ssl-enum-ciphers -p 443 example.com | grep EXPORT

# Using testssl.sh
testssl.sh --logjam example.com

Reality: Impact

ImpactDetails
SeverityHIGH. Active MITM can decrypt traffic
Affected8.4% of top 1M sites supported DHE_EXPORT
MitigationDisable export ciphers, use 2048-bit DH or ECDHE
TLS 1.3NOT AFFECTED, no DHE_EXPORT, ECDHE only

5. Sweet32 Attack

Sweet32 (Birthday Attack on Block Ciphers), 2016 | CVE-2016-2183

Theory: How It Works

  1. Birthday attack on 64-bit block ciphers (3DES, Blowfish)
  2. After 2^32 blocks (~32GB), collision likely
  3. Collision reveals XOR of two plaintext blocks
  4. With known plaintext, can recover secrets

Practical attack requires ~785GB of captured traffic but is feasible for long-lived connections.

Practical: Detection

# Check for 3DES support
openssl s_client -connect example.com:443 -cipher '3DES'

# Using nmap
nmap --script ssl-enum-ciphers -p 443 example.com | grep -i 'des'

Reality: Impact

ImpactDetails
SeverityMEDIUM. Requires large traffic volume
Practical~38 hours of traffic capture needed
MitigationDisable 3DES, use AES (128-bit blocks)
TLS 1.3NOT AFFECTED, 3DES removed

6. ROBOT Attack

ROBOT (Return Of Bleichenbacher’s Oracle Threat), 2017 | CVE-2017-13099

Theory: How It Works

  1. Targets RSA key exchange (PKCS#1 v1.5 padding)
  2. Server reveals if padding is valid via timing/errors
  3. Attacker sends modified ciphertexts, observes oracle
  4. Can forge signature or decrypt pre-master secret

This is the same Bleichenbacher attack from 1998, rediscovered because vendors failed to implement countermeasures correctly.

Practical: Detection

# Check for RSA key exchange ciphers
openssl s_client -connect example.com:443 -cipher 'RSA' 2>&1 | grep Cipher

# Using ROBOT scanner
python robot-detect.py -q example.com

Reality: Impact

ImpactDetails
SeverityHIGH. Can decrypt or forge signatures
AffectedFacebook, PayPal, F5, Cisco, Citrix at disclosure
MitigationDisable RSA key exchange entirely
TLS 1.3NOT AFFECTED, RSA key exchange removed

7. DROWN Attack

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), 2016 | CVE-2016-0800

Theory: How It Works

  1. Server shares RSA key between TLS and SSLv2
  2. Attacker captures TLS traffic (modern)
  3. Uses SSLv2 oracle to decrypt RSA pre-master secret
  4. Decrypts captured TLS session

SSLv2 on ANY server sharing the key makes ALL servers using that key vulnerable.

Practical: Detection

# Check for SSLv2 support
openssl s_client -connect example.com:443 -ssl2

# Using testssl.sh
testssl.sh --drown example.com

Reality: Impact

ImpactDetails
SeverityCRITICAL. Passive decryption of TLS traffic
Scope33% of all HTTPS servers affected
MitigationDisable SSLv2 everywhere, use unique keys
Key LessonLegacy protocol on any server compromises all

Attack Summary Matrix

AttackYearTargetMitigationTLS 1.3
POODLE2014SSL 3.0 CBCDisable SSL 3.0Safe
BEAST2011TLS 1.0 CBC IVUse TLS 1.2+Safe
Heartbleed2014OpenSSL bugUpdate OpenSSLN/A
Logjam2015Export DHE2048-bit DHSafe
FREAK2015Export RSADisable exportSafe
Sweet32201664-bit blocksDisable 3DESSafe
DROWN2016SSLv2 + RSADisable SSLv2Safe
ROBOT2017RSA PKCS#1Disable RSA KESafe
Lucky132013CBC timingUse AEADSafe

Comprehensive Scan Command

# testssl.sh - comprehensive TLS vulnerability scan
testssl.sh --poodle --heartbleed --robot example.com

# nmap scripts
nmap --script ssl-heartbleed,ssl-poodle -p 443 example.com

Key Takeaways

  • Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
  • Disable RSA key exchange, use ECDHE only
  • Disable CBC ciphers, use AEAD (GCM) only
  • Disable 3DES, RC4, export ciphers
  • Keep TLS libraries updated (Heartbleed lesson)
  • Use unique keys per service (DROWN lesson)
  • TLS 1.3 eliminates most attack vectors

Previous: Article 3: TLS 1.3: The Modern Standard

Next: Article 5: Man-in-the-Middle Attacks

This is part of our 6-article series on Understanding TLS Security.

We actively test for these TLS attack vectors during our Web Application Pentest and IoT Pentest engagements, including downgrade attacks, certificate validation, and cipher suite weaknesses. Get a free security snapshot or view pricing.

Related: TLS 1.2 Deep Dive: Complete Handshake Breakdown, MITM Attacks: How to Detect and Stop Them in 2026, SOC 2 + ISO 27001 ready pentest report sample.

Frequently Asked Questions

What is the POODLE attack and how do I prevent it?

POODLE (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566) is a 2014 attack against SSL 3.0 that exploits CBC padding validation. An attacker who can intercept and modify TLS traffic (typically via active MITM) can downgrade the connection to SSL 3.0 and then decrypt one byte of ciphertext at a time using the CBC padding oracle. The attack recovers session cookies in roughly 256 requests per byte. Mitigation is to disable SSL 3.0 entirely (RFC 7568 deprecates SSL 3.0). Every modern server, browser, and CDN has dropped SSL 3.0 support. If your server still negotiates SSL 3.0, your SSL Labs grade will drop to F regardless of other configuration. Test with `openssl s_client -ssl3 -connect host:443` (should fail).

What was Heartbleed and is it still a risk in 2026?

Heartbleed (CVE-2014-0160) was a 2014 OpenSSL bug in the TLS heartbeat extension that let an attacker read up to 64KB of server memory per request, leaking private keys, session cookies, passwords, and any other sensitive data resident in memory. It affected OpenSSL 1.0.1 through 1.0.1f and roughly 17 percent of HTTPS servers on disclosure. Patched in OpenSSL 1.0.1g (April 2014). In 2026, Heartbleed is mostly a historical attack because almost all production systems have upgraded. Risk remains on un-patched legacy embedded devices, abandoned IoT firmware, and orphaned VMs. The lesson that endures: implementation bugs in TLS libraries are protocol-independent. Keep OpenSSL, BoringSSL, GnuTLS, and language runtime TLS stacks current.

What is the Logjam attack?

Logjam (CVE-2015-4000) is a 2015 attack that downgrades the Diffie-Hellman key exchange to export-grade 512-bit DH, which is then breakable by an active attacker in real-time (or by nation-state precomputation against common 1024-bit DH groups). The attack works because many servers still supported DHE_EXPORT cipher suites and shared common DH primes. Mitigation: disable export cipher suites entirely, use unique DH parameters of 2048 bits or more (`openssl dhparam -out dhparams.pem 2048`), prefer ECDHE over DHE (elliptic-curve DH does not have the precomputation weakness). In 2026, ECDHE-only is the recommended posture. TLS 1.3 removed DHE and DHE_EXPORT entirely and uses only modern named groups (X25519, secp256r1, secp384r1).

What is the Sweet32 attack and which ciphers does it break?

Sweet32 (CVE-2016-2183) is a 2016 birthday-bound attack against 64-bit block ciphers, specifically 3DES (Triple DES) and Blowfish. After approximately 2^32 blocks (~32 GB) of ciphertext under the same key, the probability of a block collision becomes practically observable, which leaks plaintext via XOR analysis. The attack is practical in long-lived TLS sessions (HTTPS keep-alive, BEAST-style adaptive chosen plaintext via JavaScript). Mitigation: disable 3DES entirely. Use AES (128-bit block size, so the equivalent birthday bound is 2^64 blocks ~ exabytes which is operationally infeasible). Disable Blowfish, IDEA, and any other 64-bit-block cipher in TLS. Modern TLS 1.2 hardening and all of TLS 1.3 already exclude these.

What is the ROBOT attack against RSA key exchange?

ROBOT (Return Of Bleichenbacher's Oracle Threat, CVE-2017-13099 and related) is a 2017 rediscovery of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle attack. Researchers found the original attack was still exploitable against major implementations including F5 BIG-IP, Citrix NetScaler, Cisco ACE, Erlang, Bouncy Castle, WolfSSL. Affected sites included Facebook, PayPal, multiple banks. The attack lets an attacker decrypt arbitrary RSA-encrypted messages or forge signatures, effectively compromising the session. Mitigation: disable RSA key exchange entirely and use ECDHE-only cipher suites. TLS 1.3 removed RSA key exchange, eliminating the entire attack class structurally. ROBOT is a strong reason TLS 1.3 is considered structurally safer than even hardened TLS 1.2.

What is DROWN and why does it affect TLS 1.2 even though it targets SSLv2?

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption, CVE-2016-0800) is a 2016 cross-protocol attack that uses an SSLv2 oracle on one server to decrypt modern TLS connections on any server that shares the same RSA private key or certificate. At disclosure, 33 percent of all HTTPS servers were affected because legacy mail servers (SMTPS, IMAPS, POP3S) often still spoke SSLv2 and shared keys with the main web server. The attack works in roughly 8 hours of computation per session. Mitigation: disable SSLv2 everywhere it lives (web, mail, FTP, custom apps) and rotate keys if you suspect any shared-key SSLv2 server existed. The lesson: a legacy protocol surviving anywhere on shared keys compromises everything sharing those keys. Inventory all TLS endpoints, not just your web servers.

What is the BEAST attack against CBC ciphers in TLS 1.0?

BEAST (Browser Exploit Against SSL/TLS, 2011) exploits a predictable IV pattern in TLS 1.0 CBC cipher suites. An attacker with the ability to inject JavaScript into the victim's browser (via XSS or active MITM injecting a script) can recover small known-position secrets like session cookies via adaptive chosen-plaintext queries. Mitigation in TLS 1.0 was to switch to RC4 (which was later broken too) or apply the 1/n-1 split workaround. The real fix is to disable TLS 1.0 entirely (deprecated per RFC 8996) and use TLS 1.2 with explicit IVs or AEAD modes, or TLS 1.3. All major browsers dropped TLS 1.0 and TLS 1.1 in 2020. In 2026, any server still negotiating TLS 1.0 has bigger problems than BEAST.

What is the Lucky13 attack?

Lucky13 (CVE-2013-0169) is a 2013 timing attack against TLS 1.0, 1.1, 1.2 implementations using CBC cipher suites with HMAC-then-Encrypt (MAC-then-Encrypt) construction. The MAC verification time depends slightly on the padding length, which an attacker can measure across many connections to recover plaintext one byte at a time. The fix in implementations was constant-time MAC verification (OpenSSL, NSS, GnuTLS, BoringSSL all patched). The cleaner fix: switch to AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) which use Encrypt-then-MAC and do not have the variable-time padding check. TLS 1.3 uses AEAD-only, eliminating Lucky13 structurally. For TLS 1.2 hardening: disable CBC mode cipher suites entirely; use AEAD-only.

How do I test my server for known TLS vulnerabilities?

Three tools cover most needs. testssl.sh (free, comprehensive command-line tool, github.com/drwetter/testssl.sh): `./testssl.sh https://example.com` produces a full vulnerability scan including POODLE, Heartbleed, ROBOT, Sweet32, BEAST, Logjam, DROWN, plus protocol and cipher checks. SSL Labs (free public service, ssllabs.com/ssltest): browser-based with grading A through F and explicit vulnerability indicators. nmap with ssl-enum-ciphers script: `nmap --script ssl-enum-ciphers -p 443 example.com` lists every negotiable cipher suite per protocol version. For internal testing of non-public servers, testssl.sh and nmap work; SSL Labs requires public reachability. Run after every TLS configuration change. Integrate into CI/CD for pre-deploy gating.

What does Certificate Transparency protect against?

Certificate Transparency (CT, RFC 6962) protects against rogue CA issuance and detection delays. Historically, when DigiNotar was breached in 2011 and issued a forged *.google.com certificate, detection took weeks. CT requires every publicly trusted certificate to be logged in public append-only logs operated by multiple parties. Browsers refuse to trust certificates issued after April 2018 that lack at least 2 SCTs (Signed Certificate Timestamps). Domain owners monitor crt.sh, Censys, Facebook CT Monitor for unexpected certificates issued in their domain's name. For SaaS startups: set up CT log monitoring for your production domains. Alerts on unexpected issuance catch misconfigured CI/CD pipelines, internal CA leaks, or actual attacker certificate forgery within minutes instead of weeks.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Rathnakara GN on LinkedIn.

Share this article
TLSvulnerabilitiesPOODLEHeartbleedBEASTLogjamDROWNROBOTsecurity testing