You can't think about this like internet security. Normal encryption doesn't care how long the network cord is. Opening your car door does. This attack lengthens the cord between client and server without touching the data on the cord so that you are genuinely logged in from an encryption standpoint, but from a world standpoint you are sitting at your office desk unable to see your car.