Short but good article that links off to several other articles about the NSA probably being able to break (with relative ease) weaker Diffie-Hellman implementations. VPNs, https and a lot of other stuff uses this type of encryption to keep your comms/data safe and the paper (second link) proposes that the NSA can already break a significant amount of this traffic, certainly at the 512- level and most likely at the 768- and 1024-bit level too and some of it in real time when it has already done some precomputation.

Quote Originally Posted by Imperfect Forward Secrecy
Figure 1: The number field sieve algorithm for discrete log consists of a precomputation stage that depends only on
the prime p and a descent stage that computes individual logs. With sufficient precomputation, an attacker can quickly break
any Diffie-Hellman instances that use a particular p.
The first link is a blog which pulls together some snippets of info from other sources to support the contention that this 'sufficient precomputation' capability is already within the NSA's capability and budget. The links from the blog are worth a read too, but the gem is the paper (second link below) which is excellent for those who like detail and a fair slug of mod maths. I just spent a good 2 hours going through the paper and it was a great (if tough) read, but it was well written and if you concentrate hard a lot of it can be followed without massive maths knowledge (mostly)!

How is the NSA breaking so much crypto?

Imperfect Forward Secrecy:
How Diffie-Hellman Fails in Practice
(winner of Best Paper Award at CCS 2015)
(if you struggle with the early part of the paper, jump to page 7 and read from point 4)

No need to drop your trousers guys, the NSA already have a good view if you use 'export strength' D-H. Probably time for the world's internet security to be upgraded again!