But the design of SHA1 looks pretty similar to SHA256[1]... And BLAKE[2].. and many other unbroken hash functions.
They nearly all have the idea of doing a bunch of simple bit-mixing operations (for example. shuffle the bits and xor) a lot of times so it becomes infeasible to reason about how to manipulate the input to get a given output.
The most recent and powerful collision attack on SHA1 is essentially a form of differential cryptanalysis, made feasible by SHA1's linear key schedule. SHA2 has a totally different key schedule that doesn't admit the same attack.
Blake2 looks like SHA2 in the sense that all cryptographic hash functions look kind of similar, but they're unrelated:
* the BLAKE hashes are derived from ChaCha20
* they're HAIFA hashes rather than Merkle-Damgard (you can sort of think of MD hashes as "previous generation" hashes, and anything after that as "current generation") --- MD hashes work sort of the way you'd think CBC-MAC works (just chaining and throwing out the results), and HAIFA keeps state between rounds.
* MD4, MD5, SHA1, and SHA2 are straight Davies Meyer constructions --- the compression function (1) encrypts the chaining value (2) with the current message block as the key and (3) XORs the result against the chaining value --- and BLAKE isn't.
Aumasson has posted, I think a couple times, a prediction that collisions in SHA2 simply won't ever be found; that's based on an assessment that there is essentially nothing on the horizon that threatens it. The reasons not to use SHA2 are performance (though: SHA2 has excellent perf on current hardware) and avoiding length extension attacks (ie, forgetting to use HMAC instead of keyed hashes, which nobody does).
