Google announced they’ve got a practical attack against SHA-1 hashes: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Anyone using SHA-1 in their TLS certificates (such as TLS_RSA_WITH_AES_128_CBC_SHA) should consider moving to a more secure cipher suite. If the name of the cipher suite doesn’t specify which SHA variant is in use (i.e SHA256), the insecure SHA1 is the default —Eric
