It does raise the question what all the mathematicians are doing at NSA, and why they don't seem to have come up with any meaningful results. Suggests they are a waste of money, but then that's all of the NSA.
I suggest all of you check the original material (powerpoints w/ screenshots). A lot of people here suffer from the action movie mentality where they think the NSA is not like any other government agency, i.e. inefficient, behind the times, filled with horrible middle managers, deadweight, .. you get the idea. Things like the enterprise Java web interface, the CSV mass data export and "genericIPSec_wrapper.pl" can quickly dispel that myth.
For instance:
* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.
* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.
My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.
It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.
While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.
To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.
It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.
Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.
As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.