Why is a "secure connection" (SFTP, HTTPS, etc.) actually secure?
The problem with a non-secure website is that anyone on your internet connection can look for the packets you send and put the pieces back together. It's easy, for example, to silently steal passwords if you're sending them to a non-secure site.
And a secure connection encrypts that data. Let's assume the algorithm is not hacked. Ok, it works. The idea is simple: you and the server share an encryption key and all of the data transmitted is meaningless until decrypted with that key. Simple. If anyone is listening in, all they seem is useless characters.
But... what I don't understand is why that key is secure in the first place. If someone was listening to my entire session (let's say I go to my bank's website, I get the encryption key [unencrypted, right?], and then I send my now encrypted password, and I do my stuff, and I leave the coffee shop)... then, with all of the information, wouldn't they be able to see it, assuming they had the right methods to apply the key to the data?
Why is the key itself secure? Or is that just an extra measure used to make it one layer harder to hack people?
Moderator's note: This topic borders on hacking topics; my intention in posting it is to know about security, not to ask how to hack anything-- I'm interested in whether hacking in a certain situation is possible, not how to do it. This is not a hacking website, so please do not post any direct instructions for how to hack.