That depends. SSL (https) as it is currently implemented in browsers has the vulnerability, that you trust all certificates signed with any root certificate which are installed in the browser. So if you have a dedicated browser, where you have deinstalled all default certificates and installed only your private self-signed certificate, then SSL is (to the best of my knowledge) secure. Unfortunately your server has no way to check, which certificate the client sees ( and vice versa). Therefore it can not enforce the use of this specific browser. ( And this obviously does not work for a public website.)
By contrast in the case of ssh the server and client each store a key for the specific connection. In this case your connection is essentially as secure as the key exchange. And if a mitm (Man in the middle) attack was already in place when you established a connection for the first time, then ssh will warn you if the mitm attack ends. ( Since in this case the server sends you a different public key than the stored one, which was corrupted by the mitm attack. )
This depends on the meaning of "sniff them." If you mean by this, that the attacker needs some way to get active equipment into your data stream, then yes. But a sufficiently advanced attacker can of course always get his equipment into your data stream. For example by using directional antennas to spoof a wifi hotspot, or digging a hole and splicing it directly into the optical fiber.
Yeah, I don't doubt the government could perform active attacks on more targeted individuals if they wanted to, but this mass collection of internet traffic that's supposedly happening is almost certainly passive.
The same principle that should make Verisign trustworthy (centrally recognized / audited trust authority) makes them vulnerable to nation-state tampering, or more specifically, eavesdropping.
