I figure in the vast majority of cases (even for most servers), SHA1 is plenty good enough. Even MD5 is good enough for the average person. In the perspective of companies like Google, IBM, MS, Dropbox, etc, I can definitely see why SHA256 is a necessity.

EDIT:
I kind of just realized that Google probably caused more damage with this discovery than they hoped to prevent (especially if those PDFs get released). The average hacker has nowhere near the resources Google has to come to the same conclusion, so as far as hackers were concerned, discovering this wouldn't have been worth their time. Sure, some people would know that it is statistically possible to have 2 different files with the same checksum, but, I don't think anybody knew specifically how to do it. Now, there's definitive proof of it, and we know what file type is known to work.

Regardless, this is very interesting stuff.


EDIT 2:
Contrary to people's adamant suggestions, checksums are not specifically intended for security. To quote from wikipedia:
"A checksum is a small-sized datum from a block of digital data for the purpose of detecting errors which may have been introduced during its transmission or storage. It is usually applied to an installation file after it is received from the download server. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity."
Checksums are a great way to ensure data has been accurately (and therefore securely) transferred, but again, that's not the purpose.

People really need to chill out and do some research... Sure, I may have been implicit in my statements but that doesn't make them as wrong as others seems to suggest.

There had been some chat in the security arena about Googles motivations for pushing for the sunsetting of SHA1. Some speculated they 'knew something that we don't all know' about potential weaknesses to SHA1. Seems that camp may have been on the right path.

I think everybody knew SHA1 was vulnerable in theory, that was no secret.

No, we didn't have any specific reason to believe that. Other hash functions have had weaknesses demonstrated and that's why there has been efforts to remove them from use. That wasn't the case for SHA1. We just knew that from a complexity standpoint, it was likely to be next in line to get attacked. But, there was no clear time scale for that to happen. It wasn't expected to happen for a few more years at the soonest. That's why most of the security industry was pushing gack against Googles attempts to depricate it.

The second occurance should surely be SHA256?

SHA-1 is 160 bits, while its successors SHA-2 and SHA-2 are larger (depending on variant, 224, 256, 384, 512 bits).
Naturally more bits has more room for differentiation so it is more secure.
But its nicer with small hashes that are not so large, because they are easier to pass around in a URL query parameter, HTTP header, email signature, or displayed on a webpage in a table or something.

Is it okay to truncate a SHA-2 or SHA-3 hash such as cutting away the last characters and only keeping the 40 bytes?
Is a truncated 40-byte SHA-2 or SHA-3 hash any more secure than a SHA-1 hash?

Edit: I found out the answers to my questions. http://crypto.stackexchange.com/ques...-as-using-sha1

Strongly disagree. Average hackers have exactly the same resource as Google because you can rent Google's GPU servers for $0.70/hour. There's also AWS and organised criminals will have access to massive botnets that dwarf both.

Google's specs say it takes 40150 "GPU days" to brute these. A big enough cluster and you're looking at hours. $700k on GCE, but I'd be shocked if there wasn't cheaper.

how serious are you?

If signatures are too weak, then nearly everybody could mess things up, also for security reasons you always include a big enough timer buffer regardless of the use case. If you can say "algorithm A" can be brute forced within minutes in 10 years, then this algorithm is already for every day usage today.

Also there is no reason not to use SHA256+ everywhere, why should anybody use SHA1 if there are better alternatives?

no they didn't. They did the right think by exposing what's wrong with SHA1. And please don't think that google is the _first_ one to find this issue. There might be others as well with the same knowledge, but they kept it secret from public. If you find issues within security relevant stuff you expose those. Always.