So, OpenSSL is fucked.
By extension, Apache and nginx are as well. This has been in the wild for 2 years, was disclosed yesterday, and patched yesterday as well. TL;DR: it may be possible to dump the memory from a server, revealing private encryption keys, user credentials, or content
. That is basically the internet nightmare scenario.
One thing I find curious: if this has been in the wild for two years, paranoid minds might assume that some high-value targets have been compromised. Why haven't I gotten any emails from my bank/hosting provider/platypus-enthusiasts-social network to change my passwords?
On the bright side, the FRCF doesn't use SSL, so our credentials are uh, safe, or something.