By now everyone has likely heard of heartbleed. It is a dangerous exploit that reveals the contents of a server's memory to the web on any server running an unpatched or pre 1.0.1 version of OpenSSL. The fear by most is that the private key of a servers SSL Certificate may have been compromised since servers keep that information in RAM at some point.
- Disclaimer: Facebook and other sites used in this article are used mearly as a familiar example and are not known at this time to be vulnerable of anything *
Man In The Middle
When an attacker gets your SSL Private key it enables them to sign SSL traffic as your site. This mean if the attacker has facebook.com's private key, they can impersonate facebook.com and have you send traffic to facebook.com and through various ARP and DNS poisoning have you really be sending data to them. Historically SSL has mitigated this type of attack because if you expect to send traffic to https://www.facebook.com the attacker won't have a valid cert and pri