Happy new year!
Dec 31st, 2008 by Jesper Kråkhede
I just learned that public MD5 certificates could be forged breaking the chain of trust. The forging means that you web browser will think that the certificates is valid and not question you if you want to go to the site. In IE 7 you will not get a green bar showing it is a valid certificate but you will not get a red warning either. But take this a step further. What if I was to create a CA using a forged certificate and starting to issue SHA1 certificates and then set up a bank site that is 100% identical to your bank? What would then happen? Would you trust the site? Read more here.
Happy new year!