SSL uses two keys, a private and a public one. Only the public key is sent and this key has no value unless you know the private one.
Every party is encrypting the data it sends with the public key of the other one (that's a little bit more complex but you got the idea). Only the recipient is able to (easily) decode the traffic.
That means that traffic sniffing is so not that much a problem, although of course brute force attacks would be depending on the key size and algorithm used.
Man in the middle attacks based on traffic interception and server substitution are a higher risk but normally prevented by the use of trusted certification authorities. It would however be defeated if you ignore the warnings your browser displays when a server certificate isn't matching the site name or hasn't been issued by a trusted chain of authorities (eg: self signed certificate).