For detailed explanation of SSL, see https://www.ietf.org/rfc/rfc2246.txt
Here are the brief ideas of SSL to answer your question:
1) Using certificates to authenticate. Server certificate is a must and client certificate is optional (only when the server requests it). A certificate is like something to prove who you are and it also contains a public key for asymmetric encryption.
2) Using asymmetric encryption (with public key in the server certificate) to establish a shared symmetric key which is used to transfer data between client and server securely by symmetric encryption (for performance reason because symmetric encryption is faster than asymmetric encryption).
The shared symmetric key is established by exchanging a premaster secret from client side (encrypted with server public key) and is derived from the pre-master secret together with client random and server random (thanks @EJP for pointing this out in the comment):
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
We need the server random and client random to prevent replay attacks that an attacker can capture the previous session and replay it for the new session.
What I don't understand is, couldn't a hacker just intercept the
public key it sends back to the "customer's browser", and be able to
decrypt anything the customer can.
The hacker cannot decrypt the message since he does not know the server private key. Be aware that public key cannot be used to decrypt the message.
