my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.
This is incorrect. I used the tool offered by fillipio, and I was most certainly able to get cleartext HTTP sessions from other users out of the memory dumps.
The really important thing to keep in mind with Heartbleed, is that the entire goal of SSL is to encrypt
traffic packets so that eavesdroppers of said packets (like the NSA!) cannot see what is inside of them. However, having the private keys most certainly allows an attacker to decrypt that traffic data, if they are able to get it (which the NSA almost always can).
So heartbleed can allow k1dd13s a mirror into other people's user sessions, I've seen it. Whatever is in RAM (in the heap) has a chance of being exposed directly. Indirectly, it can also allow anyone with OOB access to encrypted transit packets to decrypt them assuming they put in the trivial amount of effort to finagle the private keys out of the primary leak.