The attack is to generate a certificate, sig. it themselves as valid, and then man in the middle the target. it's not about decrypting somebody else's session, it's about creating their own, seemingly valid one.