"The severity of the Heartbleed vulnerability cannot be overstated"...
Humbug. Anything can be overstated. Even sex can be overstated. Get a grip. Have a cigar. Chillax.
Here's how it works: Let's say you are logging into your account at Bailedout Bank. Your username is taxslave and your password is bendover. You load the bailedout.com login page in your browser and enter taxslave and bendover. Before sending them, your browser asks Bailedout "Are you there? I want to talk in private. I'm sending you the six letter word bohica." Bailedout's server replies "I got bohica" in acknowledgement. All cool so far. Here goes password and username.
In the very same exact fraction of a split nanosecond, Sum Dum Chinaman hits Bailedout's login page with a program which asks Bailedout "Are you there? I want to talk in private. I'm sending you the seventeen letter word ricecake." Wait a minute... that's not seventeen letters long.
Right now, this thing can go one of four ways. 1) The server may not be using openssl. No prob. 2) The server may be using any version of openssl previous to the one with a flaw in it. No prob. 3) The server may be using a version of openssl subsequent to the version with the flaw. No prob.
Nobody talks about the likelihood that those three results will happen the vast majority of the time. Soon as I heard about heartbleed, I tested every server I am associated with (and I am an IT geek)... not a one affected.
OR, bailedout.com may be on a server with the affected openssl version. In which case it sends back: "gobbledeegookgobtaxslavebledeegookgobbledeegookgobbledeegookwrongciphergobbledeegookgobbledeegookgobbledeegookgobbledeegookgobbledeegook"
It's the old stack overflow. The gobbledegook and the message inside it may be 500 characters long. That gobbledegook is whatever just happens to be whizzing through memory at the speed of light at that exactimundo instant. The server has got at the very least four or eight gigs of RAM with jumbles racing through. One gig is a thousand megs is a thousand kilobytes is twice 500 letters. That's a whole stank crapload of characters. You can write the Bible with that. But only about 500 characters of all that dumps out. The chances that BOTH your two words happen to land in that same 500 bytes of gobbdegook and can be distinguished from the rest of the turmoil are somewhere between yeah right and are you kidding me.
Here's the worst that could happen: Sum Dum hits your account with a charge for a new laptop. You spot it on your statement, go to the bank, and repudiate the debt. Provb solved.
Here's the best that could happen: It took two years for some guy to discover this flaw. He may be the first guy to ever have discovered it. Sum Dum may never have caught on until after the news came out and Bailedout's IT department scrambled to update their openssl version. We don't know that anyone at all has ever been hit by this bug.
Here's the very worst that could happen on the Fair Trade Tobacco forum: Sum Dum hacks Jitterbug's account, logs in as him, and posts: "Knucklehead is a poopoo head". Gosh. I for one am terrified.
We live in an era when a man's maturity is measured by his timidity. "Circumspect" and "wise" are taken as synonyms. I ascribe it to not enough cave bears. Man was bred over many millennia to drive the bear out of the cave so Olga and the younkers could get in out of the snow. Then he posted himself at the cave mouth to keep off the wolves. Alas, no more cave bears. No more wolves. Just paper work all day and "what's on tonight". Now, he has to invent a bear to fight.
Paranoia will destroya.
