If they can get direct access to the DDG servers, then it doesn't matter if they can siphon off traffic at the ISP level. They can just access the data.
But wouldn't that require constant access to the server, whereas the key they could steal once with short access to server and use until it expires without the victim noticing?
My understanding is that if they're using Perfect Forward Security it doesn't matter, because unless you're modifying the traffic in flow (which is much harder to do secretly) then it doesn't matter if someone-else has the private key, they won't be able to decrypt the data in any case.
I'm no expert in PFS in TLS, but there are various key-agreement protocols that allows parties to establish a secure key over an insecure channel.
I believe the way PFS works is that it uses RSA to verify identity and then Diffie-Hellman to establish keys.
If you're only able to passively intercept data (i.e. you can't impersonate the server and MITM) then you're unable to discover what the key established by DH is.
(incidentally nonces are generally only relevant for preventing replay attacks; the nonce doesn't play a part in passive defence)
Https doesn't have to terminate at the server doing the work. A feed splitter could be put between the https termination and the engine room. If ddg were compelled to do this, it's entirely possible to do so without giving up the cert.
