I think you're confusing simple secret key encryption (DES, AES, etc..) with public/private key encryption (RSA).
In secret-key encryption if an attacker steals the data and guesses or brute forces the secret key, they can see the data. In public/private key encryption, a message you send to the server is encrypted by a public key and can ONLY be decrypted by a private key known only to the webserver (the certificate you bought from verisign, thawte, etc...) This is how when you sign onto paypal or some other site over https, you don't have to worry about your credit-card being stolen in transmission. Sitting in some DB at the company where employees can get at it, you should worry, but during transmission, it's unlikely to get cracked. -Andrew