That's how I read being able to do it because you have "the best, largest, fastest, most advanced machines that money can buy".

Might be easier to steal keys...

Seeing this photo makes me think that's more likely.

https://blog.encrypt.me/assets/img/posts/2013/11/05/nsa_slid...

Pardon the source but I'm on mobile.

That image is a shows an NSA diagram of Google's network, with the links on the "public internet" side labeled "SSL" and on the "Google cloud" side labeled "clear text". You don't have to steal keys to exploit that, you just need physical attacks against the fiber links between Google's datacenters. Google had been working on encrypting that traffic, which was then massively accelerated when they learned it was being actively exploited: https://arstechnica.com/information-technology/2013/11/googl...

(Disclosure: I work at Google)

My pet conspiracy theory is that at least some large governments have quantum computers of useful strength.

It's probably more likely that they're just trudging along with side-channel attacks, CA fuckery, breaking into servers, and doing targeted attacks though. Cheaper and likely works well enough.

I'd be pretty surprised if they had quantum computers to where they could decrypt https, but it's at least possible.

The more prosaic means you're describing, plus zero days and phishing (unless that's included in "targeted attacks"?), can still get them a long way.

Yeah, zero days, phishing and coopting servers to send exploits to specific targets are what I meant by targeted attacks (and some of those overlap).

You're probably right on the quantum computers of course, but I like comparing it against what was publicly know about say cryptanalysis vs what the NSA knew in the DES days, and also similar situations in the ww2 days.