Heartbleed

For Muggles:

Are you an Internet user bewildered by all this noise about "heartbleed" and "resets"?
That's cool, ain't everyone gotta be a nerd. Buncha websites have probably been leaking passwords (and other security token type things) for a while. There's no good proof (YET) that anyone has really been attacking this though. Changing sensitive passwords after the sites fix themselves is probably a good idea. Panicing is probably not warranted.

OMG I WENT TO THIS TESTING SITE AND IT SAID
Woah woah woah. A bunch of websites have thrown up "see if your favorite website is vulnerable to heartbleed" test pages. At least some of the popular ones are provably wrong. Remember, everybody selling something and some of them are selling you panic.
Be careful about password reset emails
As always, people who like to trick you out of money or sensitive information love to pivot off hot news events. If you get a password reset email from a service talking about heartbleed (or just in general) and you didn't do something to trigger the email, don't click. Go to the actual service site and reset your password there.

For Wizards:

So you're running a SSL/TLS site or mail gateway?
No? Well relax.
Yes? Keep reading

Was it on the OpenSSL 0.9.8 branch? 
OK, do nothing*
Wait what about hardware load balancer TLS termination?
Well, check and make sure that the TLS stack on it wasn't vulnerable of course, but your'e probably OK. From what I've seen all the "firmware" implementations were fine but some of the "doing TLS in software on the loadblancer" implementations may have been vulnerable.** 
Was it using something else server-side to terminate TLS that isn't OpenSSL?
Well put your feet up and enjoy not being in the fire for once.
Was it on the OpenSSL 1.0.1 branch?
Cool, you've got work to do:
  • Recompile with heartbeat disabled or upgrade to latest OpenSSL right now
  • Look up on your CA's site about how to regenerate your certificates, each has their own proper workflow
  • Regenerate your certs and use a new private key to do so (your old private key may have been leaked)
  • Doing so hopefully revoked your old certs. If not forcibly do so.***
  • Invalidate all server-side session tokens in the most expedient manner. Yes, even if you have 2FA for your service.
  • Force a password reset for your users
    Is your OpenSSL server not actually important to anyone but your cat and just a random TLS server for [reasons][which are probably cat pictures]?

    That's cool, turn off your HTTPS listener till you have a chance to patch.

    I ship client applications that connect to arbitrary websites/mail systems and use OpenSSL libraries!

    Well either you dynamically link and better hope the OSes update soon, or you statically link and you should recompile and push updates.



    *Consider updating to 1.0.1 after it becomes stable again so you can improve your TLS support.

    **Yes, yes, as always, the terms hardware, firmware, and software don't apply well to appliances (it's all software, dude, have you seen my klout score on hacker news?!?!) and you can be a wonderful pedant about them, but if you're reading this you know exactly what I mean.

    *** This barely even matters because cert revocation status checking is pretty much a broken process outside of OSCP stapling which (i think) only Opera even supports.