> I see. Still an odd kind of protection though. The attacker can just downgrade themselves.
No. A sensible server will not talk to you if your requested SSL version is too low.
pub.orcid.org seems to use absolutely outdated and insecure software versions.