Some of you might have noticed something called heartbleed generating a lot of tech news smoke and heat this week.
This web server runs on Apache, yes. But I don't provide an encrypted server connection over SSL—it's an unencrypted set-up because I'm not in the business of selling you something or handling your confidential information, and I don't see a pressing need to make your life and mine more complicated in order to provide an illusion of (non-existent) security. If you're not running an SSL encrypted service in the first place, then you're not vulnerable to a particularly nasty zero-day hitting OpenSSL. QED.
This is not to say that I won't be patching the OpenSSL setup on my colo box in due course, because security is next to godliness or good oral hygiene or something. But I'm not running around panicking. You aren't trusting me with your credit card details or your Google account credentials, and if you were, you can only expect me (or any commercial web server) to provide limited security against non-state actors. For example, if the folks at the Donut in Cheltenham want to read my blog, patching SSL isn't going to keep them out: (a) the machine isn't under my physical control, and (b) there's this little thing called RIPA(2000) that gives them the legal power to demand access to my private keys under a gagging order and on pain of imprisonment if they want to play medium-heavy. Or to go raid my colocation host (see (a)). Playing heavy-heavy in this context would involve armed police or drone strikes or ... you get the picture.
We live in a panopticon, and it's time to get real. Yes, we should look to our security updates for protection against "ordinary" criminals. But if you're worried about the government, patching NSA-exploited zero-days is a bit like trying to treat a bubonic plague outbreak by hanging a sprig of lavender over your front door: at best it's a displacement activity, while the cure lies elsewhere.