The attack presented yesterday at the CCC is very interesting. The researchers were able to predict the serial number by monitoring certificate issuance rates from a Certificate Authority, and use that information to mount a pretext attack against a future issued certificate whereby they generated an Intermediate CA cert with the same MD5 hash as the certificate they would request in the future. (I know that is a little difficult to parse.)
Hash algorithms are widely used for a variety of tasks including verifying data integrity, authenticating passwords, and signing certificates. For the laymen the hash algorithm seems like a magic sausage grinder: dump in whatever you have and out comes a unique number. The trouble is, the internal mechanics of a hash algorithm are less like a simple mechanical machine and more like a Rube-Goldberg device. The internal mechanisms of bit shifting and mathematics would be incomprehensible to most who place blind faith in the algorithm’s ability to generate “unique” numbers.