This is somewhat of a red herring. It's more feasible for the NSA to attack from a side channel, and with their influence that's what they've been doing. No doubt they may have optimized some attacks on already previously weakened ciphers (such as RC4), but there's so many other links to strike.
We'll use standard DHE if the user selects an RSA cert (2048, 3072, or 4096). And we'll use ECDHE if the user selects an Elliptic Curve cert. We'll also be displaying a disclaimer about the potential issues with ECC (certain experts believe TLS curves may be compromised/weakened) if the user selects that.
> We will also be adding support for something no other provider is currently offering called Elliptic Curve Cryptographic security, with both 256bit and 521bit curves.
Any particular reason to not offer 384bit as well?
For OpenVPN - which is the only protocol we advise for real security (PPTP and IPSec/L2TP are fine for just hiding your IP) - we don't use pre-shared keys. OpenVPN uses TLS for exchanging strong symmetric keys. Your password is only used for authentication and its entropy isn't related to your session's security.
PPTP is well documented as being broken at this point but I have not seen any equivalent for IPSec/L2TP. Please quote sources as I would be interested in researching further as well as the rationale for OpenVPN being the only "real" security.
If I was the NSA I'd force/put some piece of network hardware that mirrored all VPN traffic exiting PIA's endpoints. I would assume that the US, UK and DE endpoints might be monitored without PIA's knowledge (unless they own the data centre and/or upstream provider?).
Then it is fairly simple to start pattern matching the unencrypted traffic exiting your endpoints by matching HTTP headers for each client. Then all they would need is for a VPN user to acces a website that leaks the user's identity and you can back match their previous traffic.
For example, you search for information on "how to make a bomb" via the VPN. Your browser sends the the HTTP headers, Accept-Language set to Accept-Language: ar-YE,en-US,fr-FR,de-DE;q=0.5 and a user agent of Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:21.0.0) Gecko/20121011 Firefox/21.0.0. Those HTTP headers aren't unique, but they vastly narrow the search scope.
Now as that user you visit your Facebook page, and those same matching HTTP headers are passed. Boom, you've just leaked your true identity.