SSL is security theatre unless people start doing it better.
SSL is a layer of complexity, it's easy to get wrong and the library
community is systematically getting it wrong (picking on some big names,
because they're tough enough to take it, not because they noticeably do
it any better or worse):
https://www.ssllabs.com/ssltest/analyze.html?d=viaf.org
https://www.ssllabs.com/ssltest/analyze.html?d=code4lib.org
https://www.ssllabs.com/ssltest/analyze.html?d=loc.gov
I'd implore you to check a couple of sites local to you and ping the
administrators if it doesn't get the all clear.
In some cases there are reasons why security might be lagging on a
particular site (third party hosting, third party client connecting
using out-of-date SSL libraries, need to support
many-years-out-of-patch-cycle browsers, etc), but that's the kind of
thing that needs to be an explicit policy.
cheers
stuart
