[tedunangst]

The attacker doesn't have the TLS private key, they have the RNG key. But they don't have the RNG seed. Recovering the seed is necessary to predict other RNG outputs and break TLS, but requires observing more RNG output than one typically sees.

[rst]

FWIW, the operative theory here is that "Extended Random" was designed to work in concert with the DUAL_EC DBRG/RNG, which almost certainly allows "Clyde Frog" to predict all future output on the basis of very few samples.

[Raj123123]

seems they aren't limited to just future output:

"Using that private key, they can observe CSPRNG output on the wire, “decrypt it”, and use that to rewind and fast-forward other people’s CSPRNGs, discovering their keys."