Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.
Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.
Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.
The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.
If the private key is indeed compromised:
- Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.
- Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.
- Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.
Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.
I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.