It's not broken in terms of the implementation (eg. buffer overflows). The protocol itself is fundamentally broken. Sandboxing http isn't going to protect your credit card information, and sandboxing md5 isn't going to prevent people from finding collisions.