When the National Security Agency (NSA) introduced Secure Hash Algorithm 1 (SHA-1) in 2002 as an approved cryptographic security algorithm it was practically unbreakable. That was a long, long time ago.
Since then, SHA-1 has been used in numerous secure applications. These include web Secure-Socket Layer (SSL) certificates, encrypted communications, and code revision control systems such as Git.
SHA-2 uses SHA-1's algorithm, but it uses different input and output sizes for far superior security. SHA-2 includes a series of SHA options designated by the size of the generated hash: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. NIST approved SHA-3, which uses a new algorithm, in 2015. However, there are few practical SHA-3 implementations. Thus, SHA-2 is the current popular secure algorithm.
So, while it's very interesting that Google has announced the first SHA-1 collision, practically speaking it's not as important as some people might have you believe. True, as Google points out, it's to be hoped that "SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256." But are that many people using modern technology still using SHA-1?
Besides, as Matthew, a security consultant, pointed out on StackExchange: "Currently, given the specific collision method used, the impact is quite limited." He continued, "the Google announcement mostly just confirms what had been suspected for a while -- SHA-1 is vulnerable to collisions, just as MD5 was, but finding them requires a lot of effort, and most of the really high profile targets (such as generating CA certificates) have mitigation in place from the very similar MD5 collisions found previously. Experts have been advising moving from SHA-1 for a while now, and this advice still stands."
As for other SHA uses, Peter Gutmann, a cryptography expert at the at the University of Auckland, New Zealand, wrote, "After sitting through an endless flood of headless-chicken messages ... I thought I'd do a quick writeup about what this actually means. In short: Reports of SHA-1's demise are considerably exaggerated."
Guttman continued, Google's "presentation of the results is detailed and accurate, it's the panicked misinterpretation of those results that are the problem. The only real-world problem isn't with e-mail, SSL, SSH, IPsec, etc., etc. it's with long-term document signing and certificates."
In other words, while SHA-1 has indeed reached the end of the road, we've already set up the detour signs years ago. For those few people still using SHA-1, it's time to move on. But most of us have already left SHA-1 behind in our rear-view mirrors.