[jeff303]

When would be the optimal time to perform these password changes? I am assuming that not every affected site has been patched yet, and it would be pointless to change the password, and log in, before they have fixed the problem.

[jeff303]

Actually, it turns out that LastPass (which I use) has incorporated most of what's discussed in this sub-thread into its security checker tool, so it automatically tells me which sites need to have passwords changed for them and when.

[sliverstorm]

Use one of the testers to check if the website is currently vulnerable.

[ams6110]

And then use your browser's certificate inspector to check the issue date of the certificate. If it's earlier than April 7, 2014, it's still insecure.

[sliverstorm]

Only if they were impacted by the bug.

It's rather unreasonable to expect sites that know they were not impacted will update their certificate. So unless you want to write off your bank's website for the next year or three until the date expires & they renew it then, (banks seem to have avoided this- suddenly dawdling behind the bleeding edge doesn't look so bad!) scorched-earth policies are a bit much.

Actually I might even say the opposite; if the site is secure and the certificate is older than 4/7/2014, that suggests the site was not impacted. If the certificate is newer than 4/7/2014, that pretty much guarantees the site was impacted. It is possible the site patched openssl and did not renew the cert, but in general people are not going to do one without the other.