Ø How do I determine whether or not the web servers I run are affected? Here's a simple way: echo B | openssl s_client -connect $HOST:$PORT if you see "heartbeating" at the end, then $HOST is vulnerable.
How can you tell if private keys have been taken? You can't, really. You can estimate the likelihood by looking closely at how OpenSSL_Malloc() return values are used and layed out. The risk is that an allocated ssl-record buffer is right up against a private key being stored. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA