Not sure of my facts, but I'm coming around to the idea that home users (SSL clients) are at risk too, as the client software apparently contains the bug as well as server-side
The attack mechanism would presumably be as follows…
1) You connect to a legit SSL server, such as your bank
2) You then connect to a malicious site that happens to use SSL, or even a legit one that's already been compromised.
3) Since the malicious system can execute the broken SSL code on your system it is able to run the exploit which, I believe, is to get memory snapshots of your system, which may contain all sorts of things like passwords and keys.
I understand it affects some Android phones too, BTW.