I have to admit that I'm confused as to which services exactly are affected by Heartbleed. I have read http://heartbleed.com but all I read is that OpenSSL is affected. Great, but I don't really know where OpenSSL is used.
So concretely, are these services affected:
If I have a server which doesn't provide HTTPS (only HTTP), does that mean the server can't be affected by the bug?
It is hard to say exactly which apps/services are affected. This is because OpenSSL is a collection of programming code (referred to as a "library") that can be used to add TLS support to an application or system. TLS (Transport Layer Security) provides secure connections, and is best known for being the security layer behind HTTPS websites.
So if a programmer were writing a program that needed to use TLS to connect to something, they can use the OpenSSL library to add that ability to their app.
The OpenSSL library itself is constantly being improved, like many other bits of software. During this process, the Heartbleed bug was accidentally introduced in OpenSSL version 1.0.1, which was released on 14th of March 2012. It remained present through to version 1.0.1f (inclusive) and was fixed in 1.0.1g, released on 7th of April 2014 .
This means that any application that uses those OpenSSL versions for TLS is potentially affected. No doubt the affected developers have fixes in progress.
The fix has since been "backported", meaning that it has been added to versions of OpenSSL prior to 1.0.1g. This is a good thing, and is commonly done for vulnerabilities, but has the side effect of making it harder to tell if an app is vulnerable (since you can't tell just by looking at the OpenSSL version).
To address your specific questions:
So in summary:
The only apps/services that are affected are those that use a vulnerable version of OpenSSL for TLS connections, and have TLS heartbeat support.
Other TLS libraries (like GnuTLS, SChannel, and JSSE) cannot possibly be affected by this particular bug, because it only exists in specific versions of the OpenSSL library.
If you are unsure, ask the person/company that wrote the application.
If you are a developer, find out what library your app is using for TLS connections and test to be certain.
FTPS (FTP over SSL/TLS) services ARE affected. Here's a list of some FTP server and FTP client vendors and open source projects and their official responses.
http://www.filetransferconsulting.com/managed-file-transfer-heartbleed-ftp-server/
Here is a script that you can use to see if your vulnerable or not: http://pastebin.com/1HxgWpTN
Here you also have an answers about ssh : https://superuser.com/questions/739349/does-heartbleed-affect-ssh-keys
No, Heartbleed doesn't really affect SSH keys, so you probably don't need to replace the SSH keys you've been using.
First, SSL and SSH are two different security protocols for two different uses. Likewise, OpenSSL and OpenSSH are also two completely different software packages, despite the similarities in their names.
Second, the Heartbleed exploit causes the vulnerable OpenSSL TLS/DTLS peer to return a random 64kB of memory, but it's almost certainly limited to memory accessible to that OpenSSL-using process. If that OpenSSL-using process doesn't have access to your SSH private key, then it can't leak it via Heartbleed.
Well openSSL is a tunneling technology to allow encryption consistency and identify the service you contact with a third party.
HTTPS means http over SSL
in the case of SSL, it can be use in several network services. the only I know are
http-s, ftp-s sip over ssl and openVPN that uses openSSL also.
The basic services http, ftp or sip are not encrypted and are vulnerable to much more thing but they are not responsive to the Heartbleed exploit
