Not to diminish the importance of the Heartbleed flaw (which should be patched immediately), but the truth of the matter is that most Websites don’t use SSL properly to begin with, and neither do many end users.
Have you ever visited a Website and got a notification for an SSL warning? Many of us have, whether it’s a corporate Website or otherwise, and the typical behavior is that users just click through.
SSL warnings can show up in browsers to alert users of any number of issues, ranging from the use of a self-signed SSL certificate to a revoked certificate. The SSL certificate is the digital document that asserts ownership and integrity. An SSL certificate can be acquired from a certificate authority (CA), or it can be self-signed. If you click through an SSL warning to get access to a Website or service, you could well be invalidating the security that SSL aims to deliver to you.
In perfect scenario, when you deploy SSL, the connection is encrypted from end to end; attackers can’t spoof or spy; users get what they want; and everyone is happy, safe and secure. But the reality is that the perfect scenario is not the majority use case for SSL deployments today.
According to the latest SSL Pulse statistics for April 5 (which is before the Heartbleed flaw became public), only 25.3 percent of sites scanned for SSL were actually deploying it correctly.