That was exactly my point. SSL / TLS 2048 bits keys are probably crackable for some time now, and if they can mirror trafic at tier-1 carrier's level you cannot even detect it as it's just plain simple mirroring (no hop added or detectable delay).
And for SSH it's time to move to ECC (Elliptic Curve Cryptography) keys.

We are talking about content providers not ISP - it's end to end communication between a browser (generally) and a server... I was trying to say that NSA can maybe refactor private Key from the public one (you know what a certificate is, I assume) OR that they asked those providers to give them the private key.... And so it's basically as if all trafic was in clear as they can decipher it.
Well I give up, you dont understand what I mean and my english is terrible :(

So if they can decipher the data in transit (by duplicating it, like if they put a port in a switch in mirroring mode - like SPAN in Cisco's one) they have everything in clear (that is your password, emails, ect.).

If facebook, google are right to say that NSA did not have a direct access to their servers and that NSA actually had all emails and stuff that means that they were able to decipher all SSL / TLS encrypted communications or that they have the private keys of those big content provider. No ?

Carmen Reinhart: (Chief Economist) Bear Stearns -> IMF -> Harvard
                                            \-> married with Vincent Reinhart: FED -> (Chief US Economist) Morgan Stanley.
                                                      famous quote: "Secretary Paulson Makes the Right Call" The Wall Street Journal, Sept. 16, 2008:
"In other words, some government aid might ultimately have to be directed toward financial firms whose failure would otherwise threaten the financial system.
The politicians now running for office should also appreciate that their grand ambitions for new spending programs or tax cuts may have to be tempered by the need to rescue financial firms."

Kenneth Rogoff: IMF -> Harvard