Over the next several days we will be replacing the SSL certifcates on all web, SMTP, IMAP, and POP3 servers. This is being done in response to the recent publication of a possible attack on MD5 signed SSL certificates. The short story is that these researchers have created a CA, Certificate Authority, signing certificate that can be used to sign end entity SSL certificates that will appear to have been issued by the real CA. The gory details are here.

To exploit this MD5 vulnerability requires considerable cryptography knowledge and a significant amount of computing power to create the fake CA signing certificate. The attacker then has to convince the victim to connect to the fake server via DNS hijacking, social engineering, or with phishing techniques. Financial institutions would be the likely target should generating the fake CA certificate actually be acomplished outside of the laboratory.