O problema é ainda ser permitido o uso do MD5. Resumo:
"Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser."
Notícia completa no blog ZeroDay:
SSL broken! Hackers create rogue CA certificate using MD5 collisions
MD5 considered harmful today - Creating a rogue CA certificate