Okay, a couple of points of confusion here.

First, HTTPS isn’t actually encrypted with a public/private key scheme — technically, “asymmetric encryption.” It’s instead encrypted using a symmetric encryption — one of several, actually — with a session key that’s established through an algorithm like Diffie-Hellman key exchange.

The result is that the encryption is carried out through a one-use key that’s computed as part of the handshake setting up the SSL connection.

The Wikipedia article on Transport Layer Security (SSL was really a proprietary term from Netscape) is reasonably decent.

If you could get that key, you could indeed decrypt the data, but since the usual key now is 128 bits long, you have roughly 1 chance in 2¹²⁸ of getting it right — or, in another way of looking at it, you can expect to take about 2¹²⁷ (170141183460469231731687303715884105728) tries before you’d find the key.

But second, asymmetric encryption does come in one way, however. When you’re establishing an SSL connection, the host provides an X509 certificate to identify itself; that’s so someone can’t hijack DNS and make themselves appear to be paypal.com instead of Vlad’s Cut Rate Hacking. The X509 certificate is signed using a public/private key pair: the signature is hashed using the private side of a trusted providers key — say VeriSign. They provide the public side, which allows you to confirm that the certificate was indeed encrypted by VeriSign. That confirms the authenticity of the cert.