As discussed in the section about passive RSA decryption, keys can be obtained from server either with NSL or malware. RSA keys not only make passive decryption trivial, they also enable completely invisible MITM attacks. Here’s how the attack works against key exchange protocols:
Since DHE is anonymous key exchange protocol, the only way for client to know that the DHE parameters come from the server is the signature of DH-values, verified using the CA-signed, public signing key of server. The client is unable to detect MITM attack, if the HSA signs it’s DH values using the private signing key of the server.
There exists no way for client (not even certificate pinning) to detect a MITM based on stolen server private key.