http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/ Now can we please stop the discussion of why the IETF has to kill SSL3? You do not get better security by deploying stronger crypto. You only get better security by stopping using insecure crypto. Keeping the SSL2 code paths in OpenSSL was a MISTAKE.They should be excised with great prejudice and the code thrown into the hottest bit furnaces of mount Mordor. AQnd the SSL3 code paths should follow them. Maintaining legacy support for obsolete crypto positively harms good crypto implementations. I don't want to see the code in the distribution at all. Nor do I want to see support for the kitchen sink of 40 obsolete crypto algorithms. Killing off obsolete and broken crypto is actually more important than developing the new stuff. If people can't figure out how to find an email provider who can support standards that have been published for over ten years now then I have to wonder what value they provide to a standards organization. One of the big problems at CERN was the attachment to obsolete FORTRAN code bases even when it was known that they were absolutely riddled with bugs. Throwing away the old crappy systems might seem a waste but code and specifications do wear out. Support for legacy systems and corner cases accumulate over time like barnacles on a sailing ship. If you don't beech the ship from time to time and scrape off the accumulated dreck, the ship gets slower and slower and eventually it will sink. OpenSSL has drowned because they didn't scrape off the barnacles. Lets stop arguing over whether it is time to kill SSL3.