We're not talking about forging ssl certs and never have been. NSA doesn't do that and never will, for reasons which are totally obvious if actually think about what would happen if they did.

By "forge" I meant using the private keys (obtained through FISA, or possibly cracked) to either decrypt or MITM SSL sessions, not using one of their own CAs to create a valid but obviously fake certificate, which I assume is what you thought I meant.

Maybe "forge" was the wrong word.

I think (not an expert) that with elliptic curve Diffie-Hellman (which e.g. Google uses), even with the private key and the whole session, you still can't decrypt the session (Diffie-Hellman provides a secure channel, public/private proves the server is who it says it is).

That is correct. These are referred to as ECDHE, or DHE for the non-ECC variant (vanilla DH). The last e is "ephemeral", referring to the lifetime of the session key.

The property that this provides is known as "forward secrecy".

Assume they have access to the original pricate keys.

We're talking about anonymity, not secrecy.

Oh I see. That works as long as nothing you do online can identify you. That rules out the vast majority of things people do online.