I haven't put on my curmudgeon's hat in way too long. This isn't going to be a very long post, and if you don't know what a hash function is and what it's used for, all you need to do is make sure you're keeping up with security upgrades. Modern web browsers are already safe, and have been for the last three years or so; if you're still using a browser older than that, you should upgrade it. Some other programs in common use are not safe yet, so watch for security upgrades in the coming months.

If you're still with me, I just wanted to point the people who worry about such things at the latest vulnerability-with-a-catchy-name: SHA-1 is a Shambles. Tl;dr: the cost to construct a pair of different messages with the same SHA-1 hash has dropped to well under $100K worth of rented GPU time. Attacks still aren't exactly practical -- they used 900 GPUs for a couple of months -- but it's only a matter of time.

Section 7 of the paper [PDF] goes into detail on current usage of SHA-1 and what is being done about it. SHA-1 has been deprecated since 2011, and is no longer allowed in digital signatures. There are, however, still some older programs and protocols where it's an option, and X.509 certificates are still being issued with SHA-1 signatures (although modern browsers will reject them). They're being fixed, but you should make sure gpg, ssh, and web browsers are up to date, and if you're a developer, please stop using or accepting keys or certificates with SHA-1 signatures.

Git uses SHA-1 hashes to identify objects, and indirectly to sign commits. The developers are working on using longer hashes, and it now includes collision-detection; I'll be particularly interested in that work going forward.