Short answer - the sky is falling
- flaw existed since dec 2011 in the core software that provides encryption of Internet traffic (OpenSSL)
- remote attackers read memory from web server process without authentication
This leaks session IDs, passwords and web server private keys for certificates
- agencies who record encrypted traffic can probably now decrypt it
- client software is also vulnerable (update your browser!
Everyone needs to change their password for websites and other Internet services (VPNS etc).
We are having a field day on the open test front but also having to defend - busy times!
