Another important aspect, you can purchase these lock & keys only from valid authorities only after proving your identity. This lock and key is what enables https on your website.

Now suppose I am logging in into my online banking account with www.bigbank.com, who have already got the lock and key (i.e. https). So this is what happens.
(a) On first request from my browser, Big Bank server gives me the lock and public key and asks me to send only locked information.
(b) Now, I dont know if it was really www.bigbank.com or someone else posing as Big bank who has given me the key. So I (i.e. my browser) takes this key to the authorities and gets it validated if it really belongs to www.bigbank.com.
(c) But this validation is still not good enough for me as anyone can get the public key and pass it on to me. So I use another trick. Instead of directly sending my user id and password, I send a message to bigbank.com saying, lets use a super secret language to talk to each other. So even if anyone listens, they wont be able to understand it. I lock this message in a box using the lock and public key.
(d) Now remember our unique lock. It can only be opened by the private key and only the real bigbank.com has the private key. So only they can open it and then reply back in the secret language.
(e) Once I get the reply in secret language I am assured that its really bigbank.com. Then I send them my user id and password and happily communicate on using our secret language without worrying that anyone else might get my information.

To summarize, https has not only ensured that my information is encrypted (I called it secret language) but also that it is is going to the correct website and not to some impostor.