A presentation at the CCC 2008 congress showed how to create a rogue CA certificate, based on the well-known flaws in the MD-5 hashing algorithm. There is also an exhaustive explanation on the web. Verisign already reacted and switched to SHA-1. For students it might be interesting to see that a very basic crypto algorithm flaw can possibly harm a whole Internet security infrastructure. What happens if SHA-1 is broken tomorrow ?