A flaw has existed in the OpenSSL’s key making process for two years. This is pretty dammed frightening. I remember when I installed the patch for this a few days back; I saw the description and thought, “Hmm, that’s a weird thing to push out as an update. I wonder what the problem was.”

The problem was that the set of “random” keys that OpenSSL generated (before the patch) is constrained to the point that the number of unique keys can easily be automatically generated and brute-forced to break the encryption. This is not unlike locking your front door with the key, but not completely pulling it shut. It appears shut, but all someone has to do is target you, and go push open your door. Fuck.