Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.
Sign in with 
OpenID
I was just wondering the other day whether the SSL/TLS connections are only safer because of the entry barrier, so that they are still not used universally -- you probably still get quick results when simply redirecting sites with DNS forgery. I mean if almost every site used https (which some have suggested as a solution to web security, and it indeed looks attractive), similar attacks on the certificate infrastructure may become commonplace.
It's like the way SUVs are only "safe" when not everyone's using them, and then you're back to square one -- you have to be careful again.
We could think of it as a weakness of the UI -- not providing easily accessible ways to check the credentials of the sites (EV certs are "surely" better). But there are even the cases when certificates are not easily inspected as with browsers -- think IM, sending email.
Well, security is hard :)