They are apprently using key-stealing to do this. The algorithms are mathmatically unbreakable, but that doesn’t matter if you swipe the key somehow.
You have to understand how SSL works to understand how this is possible. It is a three-step handshake. The server sends you a signed message, which you verify against the public certificates in your browser’s keystore. You then send it an message encrypted with its public key, and it replies with an encrypted message with a proposed symmetric key. You then accept the symmetric key, and from then on communicate in a symmetric cipher.
Now all the NSA has to have is the server’s private certificate, and it can read the asymmetric traffic and pick up the symmetric key as it is sent. If you have a buddy at Verisign, this is easily done.
I thought SSL used Diffie-Hellman key exchange, which is susceptible to a man-in-the-middle attack unless at least one party to the communication can send the other a “signed” copy of a hash of its random key, but would not allow for retrospective analysis—even by someone who had access to all of the information that parties to the communication would typically retain afterward (the parameters necessary to generate the per-session key are typically generated randomly at the start of a conversation and, along with the key, discarded afterward)