To take advantage of the SHA1 weakness in a practical way, it seems that you would have to be able to create two certificates that have different public keys but the same hash value, in order to impersonate the original certificate for a URL and be able to set up a TLS connection for the original URL and successfully decrypt the traffic. I haven't found any SHA1 collision discussion that indicates that anything like this has been demonstrated. The examples of different documents with the same hash value seem to be different in ways (e.g. extra characters at the end of a file) that would not result in a useful forged certificate. Is the creation of 2 certs with different public keys and the same SHA1 hash possible? Is there any property of SHA1 hash collisions that would prevent this? If not is it just a matter of computing power to create a forged SHA1 cert that would work in a TLS connection?