You're understanding is basically correct.
First I'd like to mention that if you know the PSK, or have a copy of the certificate, it's basically game over. Cracking the the session key is cryptographically trivial if you've got that much information. If you don't have the PSK or cert you're left with brute force, as you mentioned.
Certificates are just as "easy" to brute force as PSKs, except that certificates are usually longer. A sufficiently long PSK works just as well however (for practical purposes). Also cracking RC4 is essentially as easy as cracking AES (for the purposes of NGOs)
You are however drastically underestimating the processing power required to crack a decently complex PSK. A PSK should be at least 12 characters long, using lower case, upper case, numbers, and symbols.
If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all.
Now after you you get half way through those keys, you're more likely than not that the next key you calculate will be the correct key; thus for the purposes of probable key cracking, you can chop that time in half.
Best get started now, you've going to be there a while. See also, Jeff's Post.
It'd be much easier to simply break into the person's house and beat the information out of them. (I absolutely do not condone, advocate, or suggest physically harming someone or threatening to do so)
WiFi under WEP everyone shares the same encryption key anyway, so broadcasts are no trouble. Under WPA/WPA2 a Group Transient Key (GTK) is given to each endpoint after the initial PTK (session key) is setup. Broadcasts are sent using this GTK so that all endpoints can decrypt it. In infrastructure mode endpoints aren't allowed to talk to each-other directly, they always go through the AP.
Edit:
If you need to generate a good WPA password, here's a random password generator.
If you pick a weak dictionary based passphrase, it can be cracked very quickly (<5 minutes) with an average modern laptop; it does however require the cracker to intercept the 4 way handshake when a WPA is setup.
Edit2:
NGO = Non-Governmental Organization (ie, typical corporations or mad scientists, people without the resources to build or use a top100 supercomputer to break keys, even if they wanted to).
Within WEP, WPA, and WPA2 there is no way to prevent legitimate users who can "hear" the two initial nonces from cracking the PTK. Another layer such as IPSec could be grafted over the top (in fact, IPSec could be used to replace WEP/WPA). WEP and WPA are not meant to insure individual privacy. They are meant to make your wireless network as secure as a wired network (which is not very secure in the first place). While they aren't perfect, they meet this goal most of the time.
Best Answer
Sniffing a remote server is possible, though not easy. The most effective (though not reliable) is to compromise another device on the same subnet as the web server to the level that you can execute a sniffer. At that point you deploy ARP Poisoning to convince the switch that you need to see that server's traffic. If the switch isn't set up to defend against that kind of attack, this should give you the full network stream to the target web-server. However, it does require you to compromise a host to get access to another host, so the bootstrap chain to get to this capability is pretty long and complicated as it is.
The next most effective method is to compromise the router attached to that network. At that point you can do a lot of interesting things including (depending on the router) forwarding traffic destined to that target web server to another network location you control. This method, however, is generally a lot harder than the first one. Network admins tend to lock this kind of thing down a LOT harder than server admins, in large part because the attack surface is a lot smaller. Also, rare is the router administrative address accessible to a public network in any way.
As a recon method, sniffing is more useful when breaking into an application once the web server has already been cracked. Perhaps they're looking to sniff a back-end network for credentials passed in the clear to a database over an assumedly secure channel. This method is one used by sophisticated attackers, and generally isn't in the 'sploit toolkit repertoire.