[soft_dev_person]

It's asymmetric encryption. Even if the server got a hold of the public key, it would not be able to decrypt the contents.

How to ensure the server doesn't get a hold of the private key is the issue (can you really trust the code you're running?).

[StavrosK]

The bigger problem is "how do you ensure that the public key the server sent is actually the other user's, and not a MITM?".

[hurin]

Exactly, you have to exchange public-keys via another method - which is also potentially vulnerable.

[c22]

But all forms of exchange are potentially vulnerable, the point of using multiple channels for authentication is to increase the challenge-space for potential attackers. Indeed the chief benefit of public key encryption is that the key can be exchanged over a multitude of channels and a compromise of just some of them does not jeopardize the entire operation. Perhaps we need more authentication systems where this is made implicit, with trust based on the number of different mediums the key is transferred over (or the number of different third party signers).

[TheSisb2]

Use keybase.io