It’s always interesting to observe the reaction of the media and cryptographic community to announcements that an algorithm has been broken. It says a lot about our perspective on security countermeasures. Too often, we regard them as either perfect or ineffective, when the truth is that they all have varying degrees of effectiveness, and these can change over time, due to new threats, vulnerabilities or occasional breakdowns.
A classic example is the recent claim that MD5 had been broken as an exclusive hash function, resulting in the possibility that it might be possible to forge some types of SSL certificate. Many media reports, like this one in The Register, suggest a sensational blunder. But the reality is that SSL certificates represent only one layer of security for authenticating sources, and the expertise and computing power required to achieve a successful attack are neither trivial nor widely available.
No countermeasure is perfect. Most can be expected to expire, wear out or fail at some point. That’s why defence-in-depth will always be the preferred model for security.