Why have some security experts recommended replacing SHA₁ with SHA₂ or SHA₃?

- SHA₁ hash collisions have been used to forge digital certificates.
- Attacking SHA₁ hashes is expensive, but the cost is decreasing so attacks on SHA₁ are becoming more feasible.
- A full hash collision of SHA₁ has been published.
- Attacking SHA₁ hashes is easy and takes little processing power