Recently a "wildcard" SSL (secure socket layer) certificate for Google (ie *.google.com) was found in the wild being presented by a non-google site from an Iranian IP address. This means that that server could impersonate any google website that has "google.com" in the name. In this way malicious operators could collect login information for many services, including email, and then scan email for more personal details to assist in identity theft, or direct login credentials theft to other sites, such as Paypal. (Many sites require you to receive email at a known email address to reset your password - this makes having control of someone's email an easy route to accessing accounts on other sites, perhaps even web banking.)

  The Economist, The Register articles on Google Certificate in the wild

Noted security researcher Moxie Marlinspike talks at the yearly hacker conference "BlackHat 2011" about recent issues with SSL, the secure socket layer, which protects most electronic communications on the internet and in some banking networks. In the second half of his talk he discusses the complexity of the designs of security for the internet, and some possible solutions to the current situation.

SSL and the Future of Authenticity: Marlinspike @ BlackHat 2011

That the fake certificate came from an Iranian IP address suggests that this may be related to state-sponsored activity. In Iran this may represent extremely serious risks for activists who may be arrested and tortured, or even executed once their identities are revealed and private email accounts' contents read.

The certificate was issued by a reseller of a major SSL certificate vendor, Comodo. Browser vendors like Firefox, Apple (for Safari) and Google for Chrome rushed to invalidate the certificates for this vendor, but this act breaks much of the internet's security. The reason for this is that a small website's certificate's security is verified by a digital signature built into the browser - of which Comodo's is one. In so including these in all browsers, all users across the whole internet implicitly trust Comodo to guard their top level certificate and computer systems very well - but they and all top level Certificate Authorities (CAs) are instantly and obviously a major target for nefarious hackers (aka "Black Hat" hackers, in this case suspected Iranian govt. agents).

Browsers today try to ensure security is effective by making users more aware of security - the little lock icon at the bottom of Firefox for a secure site, or the green bar at the top for the more expensive certificates (a differentiation that allows tiers of products to be sold for the primary goal - revenue). Unfortunately this revenue breeds competition and prices drop - and with dropping prices there's less revenue available to allocate to security - which means vetting SSL certificate applicants for domain ownership, etc. Fewer people are on phones and the web doing the legwork to ensure proper credentials because the operating budgets are not provided by the reduced revenues, and the result is that almost anyone can get a certificate for almost any domain - even a domain they don't own, given a minor amount of fraudulent information in their applications.

Ultimately, all the security of the internet for all eCommerce and web banking relies on this SSL security standard, and it is fundamentally flawed due to interests that compete with the primary desire of those issuing certificates - revenue. Additionally, the system was designed as a prototype in the early 90s when the web was nascent and eCommerce didn't exist, and many of the types of attack, where all subtleties and side effects count, were not imagined.

An entire overhaul of the system is required, and there are a few efforts ongoing, but considering that many people are still surfing the web with the ancient Internet Explorer 6.0 which is now 5-6 years old and woefully insecure but is the default browser in many Windows installs, it will be an uphill battle if browser updates are the method. Modern browsers are still susceptible to the mechanics of SSL certificate issuance and moreso the delays of retraction, but some plugins for browsers are now available to assist such as Marlinspike's Convergence. Unfortunately, the CA system will have to be dropped, but there are some very large companies who would not like to see this revenue disappear (such as GoDaddy and Verisign).