It's pretty bad, yeah. It's hard to deny that in the wake of the Cloudflare challenge having been met. Btw, Akamai's CTO confirmed on Hacker News that they had gotten keys in roughly the same amount of time in an internal challenge.
So for service providers this blows. A lot of servers will need to be patched and certs are going to have to be rotated out. A ton of money is going to be spent. A lot of consumers will be affected if only because they are going to be told to change all their creds.
But I still think there are some reasons for the ordinary consumer not to freak out. First, openSSH is not affected. This exploit does not give root access to servers, or access to databases, etc. Second, although the potential to acquire ssl keys and decrypt/alter traffic has been proven to exist, and thus we all have to assume people are out there right now in possession of that capability for some major systems, to compromise _your_ personal information using this technique they have to intercept the traffic, which is another whole layer of challenges with its own specific vulnerabilities and protections.
There are some scenarios in which that might not be difficult to do. If you access your online financial accounts from Starbucks you're probably in a vulnerable category. If you do that sort of thing strictly from home via an ISP account the real odds of your information having been intercepted and decrypted are still, imo, extremely low.
I haven't changed any passwords yet in response to this, for two reasons: 1) I haven't had clear communication from financial services providers that their systems are patched, and there is no sense changing passwords until they are; and 2) I access financial accounts only from home, via Comcast, on a wired link, or an AES-2 protected wireless network. As a consumer, I'm personally not that concerned. As an employee of an Internet application developer it's already been a pain in the ass, and I'm sure that is going to continue for some time.
Facebook
Twitter