In this case, you crack the encryption by cutting and pasting the URL into your browser's address bar. Navigate to the link, and you get the decrypted message. It is encryption as theatre. Non-functional encryption. Encryption that hides nothing.
No, only if your browser has the right private key.
Let's say User A goes to the Corgea site. Their browser generates an RSA keypair, and appends the _public key_ to the URL, which is supposed to be visible.
When User B accesses that URL, User B's device generates an RSA keypair, and encrypts their message using User A's public key and User B's private key.
User B's generated URL will now contain User B's public key and the aforementioned encrypted message. User A decrypts using User B's public key and User A's private key.
tl;dr: Each browser client generates a keypair, and their private key is never exposed. You only ever encrypt/decrypt with _your_ private key, and someone else's public key.
