> They just need to have bought/stolen/subpoenaed/cracked the private key of any CA
The CA's private key isn't involved in the encryption. It is used the sign the SSL certificate. Google's private key or a flaw in the crypto algorithm is needed to decrypt the traffic and that is most probably what the NSA is doing.
They are roughly 30 years ahead in crypto analysis. They have shown this when they gave us hints on hardening the current crypto algorithms to make them secure enough for todays use (like online-banking, secure ordering over the Internet etc). They however have no problems with them.
If you have the private key of a trusted CA (e.g. a CA in the browser), then you can sign a certificate for any site.
E.g. if your browser trusts RSA as a CA, and I had RSA's private key. Then I could create a new certificate for any site I want on the fly and sign it with a CA's key that your browser trusts.
There are several products that do this (E.g. Bluecoat's Proxy-SG) to filter/cache SSL traffic for enterprise customers. In these cases they just create their own in-house CA and add it to the standard install of all their corporate browsers. If you had the private key of any trusted certificate authority (and there's a scarily large number of them, including ones owned by governments) then you could create certs on the fly for any site and decrypt all traffic.
Trust me - I've built products that do this, and written entire an entire SSL stack from scratch.
Well you would be right in terms of this working but if the NSA were doing this it would have been noticed. Also, that trick won't work when certificate pinning gets involved so going to Gmail in Chrome would pop up a warning message if they tried. Supposedly PRISM has access to Gmail so at the very least the NSA is doing something else in addition to selective SSL MITM attacks.
They are roughly 30 years ahead in crypto analysis. They have shown this when they gave us hints on hardening the current crypto algorithms to make them secure enough for todays use (like online-banking, secure ordering over the Internet etc). They however have no problems with them.