Since the pre-release 1.2.5 12w17a the network protocol is encrypted.
Totally there are two different encryption methods used. RC4 to encrypt every network packet after the login, and AES to transfer the RC4 packet at the login.
After the client connects to the server the client sends a 0x02 Handshake Request, which contains the Protocol Version (currently 31) and the username of the player connecting to the server. Now the server responds with a 0xFD Encryption Request packet, which contains the RSA Public key, the server generated at the server startup, and the serverId, which is used for the minecraft.net authentication. The client now creates a random RC4 Key for the packet encryption.
If the server id ist not "-" (offline mode) the client hashes the serverId from the 0x0D packet, the public RSA key from the server and the generated RC4 secret key. Now the client sends a Http Request to
[user_session] is the user session he got then he logged into minecraft, and the [hash] is the hash generated above.
The client uses the rsa public key to encrypt the RC4 Key and sends it to the server using a 0xFC Encryption Key Response packet. The server answeres with a 0xFC packet, too, with a empty byte-Array as shared key. The server decrypts the RC4 key with the generated private key. After this every packet on both sides are encrypted using the RC4 Key.
After this the client sends a Login Request (0x01) packet, and the server responds with a Login Response packet (0x01).
See Protocol FAQ to get infos about what happens next.