Are you an Internet user bewildered by all this noise about "heartbleed" and "resets"?
That's cool, ain't everyone gotta be a nerd. Buncha websites have probably been leaking passwords (and other security token type things) for a while. There's no good proof (YET) that anyone has really been attacking this though. Changing sensitive passwords after the sites fix themselves is probably a good idea. Panicing is probably not warranted.
OMG I WENT TO THIS TESTING SITE AND IT SAID
Woah woah woah. A bunch of websites have thrown up "see if your favorite website is vulnerable to heartbleed" test pages. At least some of the popular ones are provably wrong. Remember, everybody selling something and some of them are selling you panic.
No? Well relax.
Yes? Keep reading
Was it on the OpenSSL 0.9.8 branch?
OK, do nothing*
Well, check and make sure that the TLS stack on it wasn't vulnerable of course, but your'e probably OK. From what I've seen all the "firmware" implementations were fine but some of the "doing TLS in software on the loadblancer" implementations may have been vulnerable.**
Well put your feet up and enjoy not being in the fire for once.
- Recompile with heartbeat disabled or upgrade to latest OpenSSL right now
- Look up on your CA's site about how to regenerate your certificates, each has their own proper workflow
- Regenerate your certs and use a new private key to do so (your old private key may have been leaked)
- Doing so hopefully revoked your old certs. If not forcibly do so.***
- Invalidate all server-side session tokens in the most expedient manner. Yes, even if you have 2FA for your service.
- Force a password reset for your users
That's cool, turn off your HTTPS listener till you have a chance to patch.
I ship client applications that connect to arbitrary websites/mail systems and use OpenSSL libraries!
Well either you dynamically link and better hope the OSes update soon, or you statically link and you should recompile and push updates.
*Consider updating to 1.0.1 after it becomes stable again so you can improve your TLS support.
**Yes, yes, as always, the terms hardware, firmware, and software don't apply well to appliances (it's all software, dude, have you seen my klout score on hacker news?!?!) and you can be a wonderful pedant about them, but if you're reading this you know exactly what I mean.
*** This barely even matters because cert revocation status checking is pretty much a broken process outside of OSCP stapling which (i think) only Opera even supports.