A team of “security researchers” has announced they managed to issue false SSL certificates by using a md5 vulnerability. This was announced publicly at a hackers’ conference today in Berlin, with full details disclosed here
They were able to do so with a known vulnerability for md5 hash functions, and used an array of 200 PS3s to create a false SSL certificate. The PlayStation 3 was used because of its Cell micro-processor and vector calculations abilities, making it ideal for brute force attacks like this.
This means the SSL protection advertised by banks or ecommerce websites are now rendered compromised.
If you purchased an SSL certificate from RapidSSL or FreeSSL (one of the “cracked” SSL providers), you must take steps to verify the integrity of your servers, even if it’s highly unlikely that a hacker will find the resources to gather 200 PS3s overnight to get advantage of this vulnerability. Look for instance for a provider which uses SHA-1 message authentication, instead of md5