[ville]

It does matter and the article has reasoning about why it does. "The NSA could get the DuckDuckGo master cert in one of three ways:

1. Be given the cert

2. Physical access to servers or load-balancers

3. Remote access to servers or load-balancers"

[grhino]

If they can get direct access to the DDG servers, then it doesn't matter if they can siphon off traffic at the ISP level. They can just access the data.

[ville]

But wouldn't that require constant access to the server, whereas the key they could steal once with short access to server and use until it expires without the victim noticing?