I'm at a total loss to understand what is taking place regarding this hole. Guess I'm just plain stupid but hey I suspected such a long time ago.
You raise an interesting point. If this was undetected for 2 years, why didn’t whoever found it just tell the people who make the software so they could fix it without the bad guys ever knowing that the security problem existed?
OpenSSL is open source. You can download and go through the tomes of code. Nothing about it is secret.
Changing passwords is futile unless and until the website has patched their OpenSSL servers.
Here’s what most companies, mine included, are doing right now:
1. All certification authorities (CAs) have had their private keys revoked, all certificates issued by the CAs have been revoked, the servers are patched, rebooted, and the private key is reissued.
2. All servers with certificates signed by the CA are deleted from the server certificate store. New certificate signing requests (CSRs) are generated and issued to the CA. The CA signs the new certificate, and the servers are placed back in production.
3. Any servers with self-signed certificates are patched and rebooted. The private keys are deleted and regenerated. Certificates are generated with those keys, and the servers are put back into production.
It’s seems like a minor thing, but if you don’t have the proper infrastructure in place, it could take up to 20 minutes per server. My company alone has over 3,000 servers in production.