Do all of those sites only send cookies over HTTPS (or did they at the time the GCHQ document was written)? I know, for example, that the Amazon homepage is sent in the clear - is that sufficient to ID the user?
My gut reaction is that HTTPS isn't generally broken (though is probably susceptible to implementation flaws and targeted attacks to e.g. steal a priv. key) or we'd have seen more direct evidence in the leaked documents. That said, given the volume of documents that remain unpublished (or even unleaked), and the time that has passed since they were written, it's difficult to say for sure.
The trouble with https is that if you control the certificate authorities you can easily beat https. I don't see how the NSA doesn't control at least some certificate authorities and they work closely with GCHQ (even paying the UK money to fund some of these programs).
My gut reaction is that HTTPS isn't generally broken (though is probably susceptible to implementation flaws and targeted attacks to e.g. steal a priv. key) or we'd have seen more direct evidence in the leaked documents. That said, given the volume of documents that remain unpublished (or even unleaked), and the time that has passed since they were written, it's difficult to say for sure.