Misleading Language
"This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago"
Seems that the word 'deprecated' has been widely misunderstood by browser and server writers for 15 years. How much other stuff has been 'deprecated' that is actually still out there, still in use, still burnt in to code and still vulnerable? My guess: **** loads.
Even though trivial routines such as sprintf() have been advised against for eternity (snprintf() being the advised, improved alternative), there must be tons of software out there that uses the older version. Ok, so that's fine if it works, but's it also means that it's potentually vulnerable to, for example, a buffer overflow problem.
And no-one is looking at the software's source code because it's old, established (and therefore boring) and blessed with an aura of correctness gained through age and not through analysis and testing.
So isn't it about time that things that have been deprecated actually got removed? If OSes actually got rid of the dangerous old shit like the SSL run time libraries and the dodgy old functions like sprintf() then after a period of chaos we would all be better off.