Impersonating a CA is not transparent and risks losing that CA if anyone finds out it's forging certs. They probably can do that, but it's a risky nuclear option.

This is a transparent dragnet that can easily be blamed away, which has been shown to be much more preferable in the NSA's M.O.

The sad thing is we don't need to invoke the big bad NSA here. There is absolutely positively nothing about this that suggests it is anything other than bog-standard SSL incompetence.

And to be clear, I mean, absolutely nothing. This isn't a slightly unlikely thing that still leaves room to wonder about "plausible deniability"... this is a thing that happens all the damned time and the NSA need at most sit back and passively reap the benefits, along with hackers and criminals.

Somebody somewhere wanted to get in on the advertising gig because it looks like free money. Their first attempt didn't work on HTTPS sites. Some techie was ordered to fix it. Said techie read a few things on a few sites and typed in the magic commands to "make it work" and probably literally didn't even know that they'd just annihilated security for all their users... they literally just knew that this made their software "work", and for them, pretty much the first time they clicked on to an HTTPS page and saw their own ads, the story ended. Ship it.

To a first approximation, nobody using SSL in some manner understands SSL.

It does seem like this is more of an amateur hour screw-up. It isn't beyond the NSA to plant developers that can insert backdoors on their behalf or set up front companies to sell vulnerable libraries but one would hope that they have enough sense not to leave cleartext passwords in a binary. Of course that could be an intentional misdirection so one never really knows.

I really don't agree. Every government has an official CA, and last time one was caught (France with fake Google certs IIRC), nothing happened at all. Most CAs are too big to fall anyway.