OpenSSL is open source. You can download and go through the tomes of code. Nothing about it is secret.
Changing passwords is futile unless and until the website has patched their OpenSSL servers.
Here’s what most companies, mine included, are doing right now:
1. All certification authorities (CAs) have had their private keys revoked, all certificates issued by the CAs have been revoked, the servers are patched, rebooted, and the private key is reissued.
2. All servers with certificates signed by the CA are deleted from the server certificate store. New certificate signing requests (CSRs) are generated and issued to the CA. The CA signs the new certificate, and the servers are placed back in production.
3. Any servers with self-signed certificates are patched and rebooted. The private keys are deleted and regenerated. Certificates are generated with those keys, and the servers are put back into production.
It’s seems like a minor thing, but if you don’t have the proper infrastructure in place, it could take up to 20 minutes per server. My company alone has over 3,000 servers in production.
Thanking Each of You for your responses.