SSLv3 Poodle Attack Check


If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you may be vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.


Known Issues

Make sure you clear your cache between tests.

The test requires that you are able to connect to an SSLv3 only site. There are some false positives/false negatives that you may experience. For example, if your connection is slow, the connection to the test site will time out and your browser may wrongly show up as not vulnerable.


Browser Specific Issues:


Firefox is picky as to what ciphers it accepts. The test site supports a wide range of ciphers to allow Firefox to connect.


Apple stated that the Safari update released on Oct 17th no longer allows block ciphers via SSLv3. The test site (on purpose) only supports block ciphers as they are vulnerable to POODLE. However, my testing so far shows that Safari will still connect to the test site using ciphers like AES256. Safari should show up as not-vulnerable if it only supports stream ciphers over SSLv3.


I am getting some reports of inconsistent and wrong results with Android. Haven’t quite been able to reproduce some of the reported issues.


More Information:

safe site sample Image for non vulnerable browser vulnerable site sample Image for vulnerable browser


Thanks Andreas for suggesting a javascript trick to avoid image caching.