SHA is just used for verification in TLS, so the security considerations are different from those when it's used to, say, hash passwords. There's not much in the way of attacks that could take advantage of SHA being broken, and most that would would involve things like MITM-replacing packets in real-time with different ones with colliding hashes. It's probably true that for some classes of crypto problems, the NSA has incrementally-better cryptanalytical capabilities than the public does, but being able to find collisions in real-time, even for SHA1, seems like a very tall order.