Heartbleed, POODLE, And BEAST

You've made it to Section 3. We've covered how TLS works in theory. Now let's look at how it broke in practice — three attacks from the 2010s that reshaped how the internet thinks about cryptographic engineering. Each one cost the industry tens of millions in scrambling, killed an entire protocol generation, and left a permanent mark on modern best practices.

If you remember nothing else from this chapter, remember the pattern: every modern TLS best practice has a name and a date attached to it. The reason ChaCha20-Poly1305 exists, the reason TLS 1.3 banned CBC, the reason openssl s_client got a new validation flag — every one of those is the residue of a real attack.

Heartbleed — April 2014

The most famous TLS bug in history. Not even an attack on TLS itself — an implementation bug in OpenSSL, the library most servers use to speak TLS.

OpenSSL had a feature called the heartbeat extension that let clients send a "keep-alive" message to a server. The message had this shape:

• "Echo back this payload" — a chunk of bytes;
• "By the way, the payload is N bytes long" — a length field.

The bug: OpenSSL didn't check that N matched the actual payload size. A malicious client could send a 4-byte payload but claim it was 64 KB. The server would dutifully read 64 KB from memory and send it back. That memory was filled with whatever the server had been working on — other users' passwords, session cookies, banking data, and (in the worst case) the server's own private key.

The damage:

• 17% of all internet servers were vulnerable when disclosed;
• Every affected server had to rotate every key, every credential, every cookie that had ever been in memory;
• Total industry cost estimated in the hundreds of millions of dollars;
• Yahoo, Stripe, GitHub, and most major sites were affected.

The fix was a one-line code change: validate the length field. The lesson was much bigger — complex protocol features (like heartbeat) add attack surface for marginal benefit. TLS 1.3 removed the heartbeat extension entirely.

POODLE — October 2014

POODLE stands for "Padding Oracle On Downgraded Legacy Encryption." Mouthful, but the attack is elegant.

By 2014, every modern browser supported TLS 1.0, 1.1, and 1.2, but also still spoke SSL 3.0 — an 18-year-old protocol — for "compatibility with old servers." The attack went like this:

• Attacker on the network intercepts the TLS handshake;
• Drops or corrupts ClientHello packets until the browser, thinking modern TLS is broken, falls back to SSL 3.0;
• Once on SSL 3.0, the attacker exploits a known weakness in CBC padding to decrypt the victim's session cookie one byte at a time.

256 carefully crafted requests revealed one byte. A few thousand requests revealed a session cookie. Attacker takes over the session.

The fix wasn't fixing SSL 3.0 — it was killing it. Every browser disabled SSL 3.0 within weeks of disclosure. The lesson: legacy protocols are landmines. Backward compatibility is a security cost. Keep your supported versions narrow and modern.

BEAST — September 2011

BEAST = "Browser Exploit Against SSL/TLS." The first major real-world TLS attack and the one that started the "kill CBC" movement.

The setup: TLS 1.0 used CBC mode with a predictable initialization vector (IV) — the IV for each record was the last ciphertext block of the previous record. If an attacker could inject chosen plaintext into a victim's TLS session and observe the resulting ciphertext, they could decrypt other parts of the session that the victim sent.

The attack:

• Victim is logged into their bank in one tab;
• Attacker tricks the victim into loading a malicious page in another tab (or injects JavaScript into a low-security site they're visiting);
• Attacker's JavaScript makes the browser send carefully crafted requests on the bank's connection;
• Watching the resulting ciphertext, the attacker pieces together the session cookie.

It worked. Real proof-of-concepts decrypted real session cookies in real browsers.

The immediate fix was a hack — split the first byte of each record into its own block, breaking the IV prediction. The proper fix was TLS 1.1's explicit IVs and eventually getting rid of CBC entirely. TLS 1.3 removed CBC. AEAD ciphers like AES-GCM and ChaCha20-Poly1305 don't have this class of bug because they don't use CBC at all.

What These Attacks Share

Three different attacks, three different mechanisms, but they share patterns that show up in every TLS attack since:

• Composite constructions are fragile — CBC + MAC was always going to have edge cases. AEAD ciphers combine the two operations and remove the ordering trap;
• Legacy support is permanent attack surface — if you can be downgraded, you will be downgraded. Cut old protocols off entirely;
• Length and bounds checks are non-negotiable — Heartbleed was just one missing comparison;
• Side channels matter — POODLE was a padding oracle. Lucky 13 (2013) was a timing oracle. Constant-time crypto isn't optional in 2026.

How Modern TLS Defends Against These Specifically

• Heartbleed-class — no more heartbeat in TLS 1.3. Modern OpenSSL has had bounds checks audited extensively;
• POODLE-class — SSL 3.0, TLS 1.0, and TLS 1.1 are all dead in every modern browser and server. TLS 1.3 also has built-in downgrade protection in the handshake: the server signs a value that proves the client and server agreed on the highest version both support, so an active attacker can't transparently downgrade;
• BEAST-class — no CBC in TLS 1.3. The Mozilla Intermediate config explicitly omits CBC suites even from TLS 1.2.

Knowing these is what separates someone who deploys TLS configs from someone who understands them.