So I'm jumping in with some facts, a few opinions, and some action steps that you be taking now.
First we'll look at the consumer/user side of things. Then the organization side. Finally, I'll talk a bit more about what this is and what this isn't.
If you use the Internet and enter any personal or financial information on any website, then you might be effected by this issue. To find out, follow these steps:
- Check with your providers - your bank, your shopping sites - to see if they have fixed the problem (or never had it in the first place). You can check their website or blog for info. Some providers are notifying customers (my bank did that).
- Test the site to see if it's affected. There are a number of tools available including these:
- LastPass - https://lastpass.com/heartbleed/
- GitHub - http://filippo.io/Heartbleed/
- ssl Labs - https://www.ssllabs.com/ssltest/
Next, if you have responsibility for security or servers at your organization, here's what you need to do:
- Inventory - you need to figure out where all your web servers are or how you are serving web content. There are a number of aspects to consider:
- web servers in your data center - this should be the easiest. Microsoft IIS is typically not effected.
- web servers not in your data center - check under people's desks! This is also a great opportunity to figure out what "other" systems might be serving web content.
- hosted/SaaS solutions - check with your cloud partners for there vulnerabilities - always a good idea!
- other front ends - proxies, ssl-accelerators, ssl vpn's, load balancers, jumpstations
- and don't forget about embedded devices with web administrative interfaces
- upgrade to 1.01g! (or recompile without the heartbeat option)
- revoke your existing certs and keys
- issue new certs and keys
Hopefully are taking care of both your personal account and your company's sites.
And... for you xkcd fans out there: