Presented at the annual Chaos Communications Congress in Berlin the method resulted in a forged CA certificated being created and used to impersonate a website. The method could be used by phishers to impersonate highly sensitive sites such as banking and ecommerce sites.

The vulnerability lies in the MD5 hashing function being used by many CA authorities today. The method's central concept involves creating a 'collision'  between MD5's. Previous work had shown this to be theoritically possible  - this goes one step further and actually implements it in an attack scenario.  A collision of hashes is basically two different messages with the same md5 hash.

Once the collision has been manufactured, the creators are then in possession of a fake CA Certificate that will be trusted by all web browsers as genuine and authentic. All the common indicators will show up in the browser including 'https://' and the lock icon in the browser status bar. 

 The Full presentation can be found here: http://www.win.tue.nl/hashclash/rogue-ca/