From the article's excitement, I would almost guess that they have a working attack against AES, but that sounds extremely unlikely with the amount of scrutiny AES has received. Still, AES is known to have some very clean algebraic properties, and people have wondered since the AES competition whether those would translate into real attacks -- perhaps the NSA has found a way. At least, the discussions about saving data to decrypt later sounds very suggestive of a break on either Triple DES or AES.
But I should say that you wouldn't have to break AES to break HTTPS and read most of the encrypted conversations on the web. In late 2008 a group of academics broke HTTPS by lifting a digital signature from a legitimately-signed document which gave few HTTPS permissions, onto a document which gave them arbitrary permissions. They did this by breaking the MD5 algorithm, and it caused the community to finally excise the last of the MD5 certificates for SHA1 certificates. But the NSA could do the same with the SHA1 algorithm's known weakness, and could then listen in on any man-in-the-middle attack they wanted. How complex is this? Since 2008, we've had an attack which might work in 2^52 operations or so. For the NSA that's approximately nothing. The Cray computer (one which we know the US government has) does roughly 2 petaflops now, or 2^51 operations per second or 2^67 per day. So it's reasonable to believe that, if they move from eavesdropping to active communication, they can already break HTTPS. (There is a risk in this method, however: if someone catches you doing this "in the wild", then they might notice and raise a big stink about it.)
Their exaflop goal would then be 2^85/year, which would be enough to run publicly-known attacks against Triple DES and perhaps to factor known 1024-bit RSA moduli -- for example the Equifax Root CA is 1024 bit RSA. If you could compromise one of those just once, you could issue certificates of your own -- and it would be extremely difficult if not impossible to detect the intrusion. So with exaflop computing, they could seriously just spend a couple weeks breaking an RSA-1024 modulus and launch undetectable man-in-the-middle attacks against everyone.
It's also likely that they've got more efficient attacks than the public researchers have, since they have access not only to the public research but also to a set of well-paid brilliant minds who work on these problems every day, and have been for quite some time. (It would be nice to have some transparency and know just how far they have gotten, but of course they won't even tell us that. I guess that's a bit of a weird question anyway, like asking, "in the odd event that you might want to stab the Internet to death, we would like to know: how large is the largest knife you own?")
It's also likely that they've got more efficient attacks than the public researchers have, since they have access not only to the public research but also to a set of well-paid brilliant minds who work on these problems every day, and have been for quite some time.
In case people aren't aware, this isn't just hyperbole.
The story of the DES S-Boxes[1] indicates the NSA (actually IBM working with NSA, but still) was roughly 15-20 years ahead of publicly known attack techniques in 1990. I'd imagine the public state of the art is a bit closer now, but there is little doubt they have a big lead.
There were few reasons for mainstream adoption of cryptography in the early 90's. On-line commerce and communication barely existed. Thus little motive existed for public cryptography research and development. By comparison, militaries of the world had decades of experience. Battles had been won and lost because of cryptography.
The cypherpunk movement[1] of the 90's and gradual push towards mass adoption of cryptography for on-line commerce led to the NSA attempting to introduce key escrow via the clipper chip[2] (to enable backdoor access to crypto systems). This plan suffered a quick demise, hastened in part by a serious vulnerability in the scheme being identified by Matt Blaze in '94.
The rate of progress of this movement raised a lot of eyebrows. Crypto currencies were discussed and demonstrated. Julian Assange (and others) demonstrated Rubberhose FS (a deniable encryption system). And if that wasn't extreme enough, Jim Bell started a conversation about the application of cryptography to anonymous crowd-sourced political assassinations (!)...
It should be fairly obvious to see why the NSA (and more widely, the US government) had concerns. These concerns are still valid today with dual-use crypto-anarchy[3] technology such as Tor and Bitcoin being in common use. One side may be trying to prevent this technology being used by Mexican drug cartels, smugglers, etc. The other side sees greater merit in ensuring that populations in Syria, Iran, China, etc can bypass government censorship.
It's well worth reading about this era of computing history and all the well known names that were involved[4]. The insight gained will help with forming opinions on current topics, ensuring that both sides of arguments and all consequences are considered.
In summary, I think it'd be fair to say that mainstream reliance on strong cryptography has dwarfed military usage for a number of years now. The threat is also significantly higher to public/commercial entities because a failure of crypto systems in banking, stock exchange, news and on-line commerce could destroy economies. A break of AES, RSA, etc would primarily be kept secret to prevent economies from collapsing -- not so much to maintain an ability to decrypt meaningless chitter-chatter between millions of ordinary people.
But I should say that you wouldn't have to break AES to break HTTPS and read most of the encrypted conversations on the web. In late 2008 a group of academics broke HTTPS by lifting a digital signature from a legitimately-signed document which gave few HTTPS permissions, onto a document which gave them arbitrary permissions. They did this by breaking the MD5 algorithm, and it caused the community to finally excise the last of the MD5 certificates for SHA1 certificates. But the NSA could do the same with the SHA1 algorithm's known weakness, and could then listen in on any man-in-the-middle attack they wanted. How complex is this? Since 2008, we've had an attack which might work in 2^52 operations or so. For the NSA that's approximately nothing. The Cray computer (one which we know the US government has) does roughly 2 petaflops now, or 2^51 operations per second or 2^67 per day. So it's reasonable to believe that, if they move from eavesdropping to active communication, they can already break HTTPS. (There is a risk in this method, however: if someone catches you doing this "in the wild", then they might notice and raise a big stink about it.)
Their exaflop goal would then be 2^85/year, which would be enough to run publicly-known attacks against Triple DES and perhaps to factor known 1024-bit RSA moduli -- for example the Equifax Root CA is 1024 bit RSA. If you could compromise one of those just once, you could issue certificates of your own -- and it would be extremely difficult if not impossible to detect the intrusion. So with exaflop computing, they could seriously just spend a couple weeks breaking an RSA-1024 modulus and launch undetectable man-in-the-middle attacks against everyone.
It's also likely that they've got more efficient attacks than the public researchers have, since they have access not only to the public research but also to a set of well-paid brilliant minds who work on these problems every day, and have been for quite some time. (It would be nice to have some transparency and know just how far they have gotten, but of course they won't even tell us that. I guess that's a bit of a weird question anyway, like asking, "in the odd event that you might want to stab the Internet to death, we would like to know: how large is the largest knife you own?")