Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box. Until recently, for example, Microsoft would sell you a program, Forefront Threat Management Gateway 2010, which could do the job for you as well.
Here's how they work. First, if you know networking, this, at a high-level, is how you assume SSL is working for you:
The client asks for a secure-connection and the server says sure and we're off to handshaking our way to a secure connection. The client, typically a Web-browser but it can also be an e-mail, cloud-storage or some other kind of network service client, replies with what kind of SSL it can handle and the client and server compare notes on identity certificates and cryptographic keys until they come to an agreement that they can set up a secure transport layer. At this point, most of you assume that you have a secure end-to-end connection.
The SSL proxy intercepts traffic between your computer and the Internet. When you surf to a "secure" site, it, and not your browser, get the real Web server certificate and handles setting up a perfectly good SSL connection between it and the Web server. The proxy then sends you a digital certificate, which looks like the Web server's certificate, and sets up a "secure" connection between your browser and the proxy.
If your company has set up the proxy correctly you won't know anything is off because they'll have arranged to have the proxy's internal SSL certificate registered on your machine as a valid certificate. If not, you'll receive a pop-up error message, which, if you click on to continue, will accept the "fake" digital certificate. In either case, you get a secure connection to the proxy, it gets a secure connection to the outside site -- and everything sent over the proxy can be read in plain text. Whoops.
Now if your company can do this at your business' firewall couldn't the NSA do something like this at a tier-one ISP? At a major company's Web hosting facility? I don't see why not. After all the NSA set up Room 641A at what was then AT&T's 611 Folsom St. building in the mid-2000s for surveillance.
Is the NSA reading your e-mail and looking over your shoulder when you visit NaughtyNursesNamedNancy.com? I doubt it. With techniques like traffic and metadata analysis, they don't need to bother with that level of detail for the vast majority of people. Technically speaking could they do it? Yes. Easily and just by modifying commercial off-the shelf (COTS) hardware and software.