The protocol is actually extensible, and the hashing algorithm MUST always be specified by the server (which the client could then choose to not accept, just as it can reject the certificate because of the signature algorithm).
Also, it would require a preimage attack against one of the hashed items to be useful which SHA-1 will likely be resistant to a long time (though decreasing with the number of items hashed) and SHA-1 is unlikely to be vulnerable to a preimage attack in the near future based on what we know so far.
The signature and certificates that are used to validate the top-level index can be based on a far better hashing algorithm independently of the content-based hashing.
