Oh don’t get me wrong, this is a significant exploit, but I was responding to the assertion that virtually all net traffic would become readable.
OpenSSL is used by linux-folks like us (I’ve already updated my slackware boxes) and a fraction of webservers - as you said often but not exclusively Linux-based webservers (and automated cat treat machines, sadly). That’s a far cry from all net traffic, though it still remains a significant exploit - especially for the cats.
This will result in a number of costly problems, but most M$ and Mac users out there aren’t going to be seeing it manifest personally, and are just going to be experiencing their web-services updating their software and shuffling around user-logins - most of what they’re going to have to be doing will likely be related to user-prompts and password changes popping up once sites start trying to sort out the mess of potentially compromised private master keys, potentially compromised session cookies, and spoofed site certifications.
On the admin side this is one hell of a hairball to sort out.
I was responding to the assertion that virtually all net traffic would become readable.That certainly wasn't an assertion that I made. The point I was making is that the site owner won't necessarily know whether or not his private key was stolen, and end users won't know whether a HTTPS site they are visiting has had it's key stolen. You can patch your software to remove the vulnerability, but the horse has already left the barn.