A 4096-bit RSA key is still well beyond the means of even a very capable state actor. The standard nowadays is 2048-bit RSA keys, cracking of which is also (probably) still beyond anyone's capabilities. Maybe a multi-year effort directed at a specific target might manage to crack a single key, but I wouldn't bet on it. RSA cracking efforts would almost certainly focus on smaller keys that are still being used despite the warnings.

However, even if they did crack a major infrastructure provider's RSA key, TLS nowadays uses ephemeral key exchange which provides forward secrecy. So it doesn't matter if an intelligence agency collected every packet, they could not decipher the contents after the fact. They would have to actively interdict every TLS handshake and perform a man-in-the-middle attack against both parties all the time.

It is extremely doubtful that this is happening en masse. Such a process would require an immense amount of online computing power directly in the path of all Internet traffic. Much of the compute available to intelligence agencies (and accounted for in back-of-the-envelope calculations by outside parties) is effectively offline due to airgaps. It's not like they want people doing to them what they're doing to others, after all.

It's much easier to send an NSL to Google to read your email than to try to intercept it over the wire. The latter capability would be reserved for high-value targets unreachable by the US legal system, not mass surveillance.

>It's much easier to send an NSL to Google to read your email than to try to intercept it over the wire. The latter capability would be reserved for high-value targets unreachable by the US legal system, not mass surveillance.

https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...

That pissed a lot of people off at Google, and served as a major catalyst for their in-house RISC-V networking hardware.