Posted by a colleague in response to the question "what should I tell my non-techie friends/family about heartbleed.com
I liked the phrasing so much I'm reposing it verbatim.Update
to verify particular sites of interest.
Over the next few days they should avoid doing any sort of banking, shopping, or other security-relevant activity online. It will take time for those sites' security teams to upgrade their software and revoke their certificates; until that is done, nearly anyone can be a MITM for yourbank.com
. Certificate pinning won't help us, since attackers would have legitimate copies of the server certificates. If your friends need to do something security-relevant online, then they should use a wired connection from a trustworthy location, take as little time as they can, and make sure to log out when they're done.
I'd bet money that over the next few weeks someon will figure out how to leverage compromised certs into an effective phishing campaign, so your friends should be extra careful about links they receive in email.
We've basically been put in a temporary wormhole to a '90s hacker movie, where all the ridiculous stuff like ripping raw passwords out of a remote server is actually happening.
 Unless you feel like teaching them the difference between WEP and WPA2.
 Their home is probably fine. Their library, internet cafe, hotel business terminal, or local Starbucks are not fine. Their workplace is fine if they work at a tech company.
 Lets hope that the server invalidates its session token on a logout.