Breaking SHA-1 has been a goal of security users for quite a while, so it's quite a feather in Google's cap to be first. (It's possible, though, that the NSA, Russians or others have had one that they've kept under wraps.) The team said that the collision "is one of the largest computations ever completed," so Google's cloud infrastructure was an indispensable part of that.

There's no great danger for users. Google Chrome, Microsoft's Edge, Firefox and all other major browsers flag HTTPS sites that use SHA-1 as insecure with a big red warning -- so very few use it for verifying digital content. The team won't release the attack (Dad-jokingly called "SHAttered") for 90 days, in order to give affected sites time to deal with it.

Also, even though Google has made it 100,000 times faster to crack an SHA-1 certificate, it would still require some serious computing horsepower to do so. Google says it requires 12 million GPUs a full year to brute force a certificate, while the SHA-1 "Shattered" attack takes just 110 GPUs. For now, however, you'd still need a supercomputer or server farm (or a bot farm) to crack one in a reasonable amount of time.

As a proof of concept, Google is hosting two PDFs with the different content but the same hash, and has supplied the public with a free detection app. It had a lot of motivation to be first with a collision. It led the movement to deprecate SHA-1 because it's advertising business relies heavily on secure sites and ad platforms -- making the discovery a giant "I told you so" of sorts.