Die, Dora, die!
Yeah, parent comment is correct. MD5 roots are not important *yet*, though they may be an issue in the future when MD5 collisions can be created arbitrarily (versus using birthday attacks).
MD5 certs anywhere in the chain (with the exception of the trusted root) mean that the certificate is suspicious *today*.
If you blacklist all CA's that use MD5 hashes in the root, you are likely safe (unless there's an unsafe intermediate somewhere).
IMHO, this needs a browser fix to mark any certificate with MD5 in its chain as potentially untrusted.
It's a problem for all websites. All you need to do is forge a certificate from Amazon that uses MD5 and redirect someone's browser via Wifi hacking or DNS redirection.
The browser doesn't know that Amazon didn't use Verisign's busted MD5 cert root.
Zing!
But nature has a lot longer than us to retaliate. It's like that creepy guy in the office you pissed off a few years ago - he's just waiting for the right time to get you back.
They've been secretly stealing all the cameras. Go ahead and check - I bet yours is missing. Bastards got mine last week.
Easy fix:
Build the elevator in the Florida everglades and use mosquito carcasses as reaction mass.
Apollo 1 doesn't count, as NASA declared a mulligan.
Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall