They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).
I don't think so because not many people use trusted authorities with SSH. (In fact I've never heard of anyone doing that, but surely there are people who do). Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.