I saw this on the full disclosure list Tuesday, but didn’t think much of it.
Yes, a lot of sites are affected. Yes, there’s potential for account hijack. Do you need to panic, as is HuffPo’s advicepanic? No. (And I’ll spare teh soliquily about how their operation make MSNBC and Fox look like bastions of crediblity….)
My understanding is that this was a bug that popped up sometime in the past couple of years. Surprisingly, if you’re running old stuff (or Microsoft nonsense) server-side, you’re unaffected.
It’s something that unless the sites were using the vulnerable version, and you changed your password while they were using the buggy version, and someone happened to be hijacking your session when you changed your password, then you might be vulnerable.
Do the math on the probabilities.
I’ll spare the schadenfreude about the commercial sekurity products affected because they used a buggy verison of OpenSSL, though *cough*McAfee*cough*Barracuda*cough* the temptation is tough to completely pass up.