Heartbleed & Soulseek

Heartbleed only affects encryption services that use the OpenSSL code library, such as the HTTPS service offered by the Apache web server if it was built against a vulnerable version of that library. Not all Apache installations are built with this library, but I think the one Nir is using to serve up his websites is. Both sites are using the same server.

However, right now your browser's connection to the websites is probably using regular, unencrypted HTTP, not HTTPS, so it doesn't matter if the bug is present. So just like when you access any other ordinary HTTP site, an eavesdropper on the line or "man in the middle" can know all our IPs, login credentials, postings, and everything we look at on the site. If we were using HTTPS, all that they would see is that our IPs connected to Nir's and conversed via HTTPS.

Nir apparently did start to set up rudimentary HTTPS service a while back, but he doesn't have a valid certificate from a reputable provider; he's only using an expired, self-signed certificate, probably just something he set up temporarily to test with. So if you try to browse the site via HTTPS, you will have to click through a harsh warning presented by your browser, and you'll have to explicitly add his cert to your trusted certificates to indicate that you trust that it is actually Nir's (not a middleman's) and that his server's private key hasn't been compromised. I wouldn't do that, if I were you, just as a matter of best practices. I'm also guessing he didn't set it up with virtual hosting (on HTTPS servers it's still a relatively new feature) so probably the HTTPS service is only for the default domain, which may be one of the two you asked about or maybe another one altogether. I didn't click through the warnings to find out.

As for the Soulseek file-sharing clients and the Soulseek network's central server, I doubt any of them use OpenSSL; the protocol doesn't support encryption, AFAIK. If you really need to cloak your network traffic, you need to use a VPN.