This is of some concern as it is not something the individual user can do anything about.:mad2:

http://www.abc.net.au/news/2014-04-10/heartbleed-bug-password-reset-data-openssl/5379604

True you can't do anything about other people's sites, but at least you might be able to secure your own. I don't use a vulnerable version of openssl.

Just got my first email since this bug went public from a site requesting me to verify my details etc.
Problem is that it is rather well constructed but does not look entirely legit. Be warned yet agin, don't click on the email links and type a known address into your browser or use your saved links.

I don't know why anyone is surprised. After all, it is Open SSL. :lol::P

So, what sort of passwords should I reset? Paypal? Ebay? Gmail?

No, they were fine. Yahoo was mentioned, but I'm not sure of that myself. Some sites have been reported as fixed already (it's just a patch to OpenSSL that's needed).

I tested about 25 HTTPS sites yesterday for the vulnerability - these are sites I use that have a "secure" logon or such - and only one was vulnerable, and it was a small, obscure shopping site.

Also revocation and replacement of each sites X.509 certificate in case the private key was compromised during the approximately two years that this vulnerability has been around.

Actually a list I saw yesterday had Gmail (All of the Google stuff actually) as a "Possibly" We can only wait and see if they report as having had to fix themselves I suppose.

I saw a blog post that Google/Gmail was affected, but I tested them yesterday - all good. They must have been quick.

@RickS: Technically, that's only if the site was compromised - that's what was thinking, even if it didn't come across that way (I haven't had my coffee yet) - but as there's no way to know for sure, then it's wise to do certificates, keys and passwords (including user passwords on those sites).

This sounds like it's as big as the DNS spoofing bug of 2008.

Ah, finally, a list of affected sites (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/), which was posted only 4 hours ago.

There will be other sites affected (there are, after all, millions of websites around the world). As mentioned, I found one small shopping site I use was affected, so I sent them an e-mail.

A lot of sites have been patched in the last 24 hours, however, the vulnerability has been around for over two years. There is no way of knowing who's been exploiting it and for what purpose.

Cheers
Steffen.

More useful information slowly coming in - this article published within the last hour: How to avoid 'Heartbleed' heartache (http://www.brisbanetimes.com.au/digital-life/consumer-security/how-to-avoid-heartbleed-heartache-20140410-zqswp.html)

Particularly this bit - the top 1000 sites and their test results: Heartbleed mass test - top 1000 (https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt)