MD5 was found vulnerable a few years ago. Recently, a team succeeded in producing a fake CA SSL certificate.
MD5 or SHA-1 is the algorithm used to authenticate the peer in SSL messages. If it gets compromised, and using various combined technics, it becomes possible to do a MiM attack.
But too much noise has been made about it. There is a nice reaction.
Indeed, it still requires a lot of efforts and conditions for the attack to be possible. And the CPU power is still huge : the researchers used not less than a cluster of 200 PS3 to drive the attack. Even with that hardware and engineering, it took until 3 days of intensive computation.
Not everyone can afford it, nor would have much motivation to attack a single user like this.
Security has always been a compromise between usuability and risk. Today, the risk concerning MD5 is still low enough to stop this wind of panic.
Let’s begin the migration to SHA-1 quietly.