First there was a really easy way not to be impacted by this bug. And it was not to use Openssl but to buy your certificate with a normal certificate firm (verisign, globalsisgn among others). THese certificates are not free but they are not that expensive either and those who have invested a very very small bit of their overall ITbuget in real professional certificates have not to worry now.
The second question is how it is possible that this bug of which rumor says that exploits or the bugcode were already floating around for two years have only been fixed now after the analysis by a third party. It shows in fact that an Opensource model without a paid businessmodel behind to pay for the developers, the testing of the code and so on is not really a viable solution for really critical installations. In the freeware world it is called freemium. But you really need the permanent coders and testers to be sure that everything is always (re)checked and analyzed. THe community is an inspriration - even for commercial products - but it can't be a longterm strategy if there is no business model behind it.
The third question is that there is another solution to all the problems with the passwords. In fact passwords are a vulnerability because not only are there millions of passwords leaked every month on the internet (and people re-use the same passwords all over again) they also need to be longer and longer (at least 12 characters) to withstand the bruteforce attacks by stronger hardware (graphical cards) and ever increasing libraries of effectivly used (leaked) passwords (which are always better than theoretical possiblities).
There is double authentification. As used in the secure laptop of course.
The fourth question is about the backoffice use of openssl. Openssl is maybe not used at the frontoffice but in backoffice operations in which institutions and firms exchange information between themselves or each other. This is not a problem if there is no problem in the backoffice, but what if you have been compromised the last 2 years and the intruders had access to the bugcode and could decode everything you did in the backoffice that you thought was encrypted and for this reason safe ? What if this is one of the reasons that the NSA was so sure it could decrypt VPN tunnels in internal networks when it had control over the router ? Just a question. Is it possible to replay the traffic - even if you didn't have the decode script than - and decrypt everything now if you have intercepted it at the time and kept a copy untill the encryption was broken ?
Can you still have an absolute trust in backoffice operations using openssl if these services are used for data that need an absolute protection and certification ?
THe fifth question is if services that are still vulnerable should be pushed of the internet or not or that there should be an automatic warning popping up in the browser not to insert any confidential information in that online services ? Just as we did when linux certificates were broken some time ago and we found out months later that there were still online services who weren't fixed yet. People should be warned if they are confronted with such services.
You could otherwise even set up services with the old vulnerable openssl version and decrypt their passwords or other information afterwards. They will never think that it is possible because they have seen the ssl protection and have thought that it was safe.
We are discovering services in Belgium that have updated the version but didn't re-issue the certificate and we have to state also that it is absolutely necessary that you also change the administrative passwords to the machines and the applications that were vulnerable.
we still say that it is for the moment not very safe to go on tor or other services encrypted with openssl as it is for the moment not sure that everybody has done everything necessary in their sometimes very complex and big networks.