Firstly, use up-to-date virus and malware protection... if your device is compromised (e.g. keystroke loggers), you've lost the battle before it starts no matter how secure the connection.
All your connections to sites where you exchange private information should by secured by certificates and up-to-date encryption technologies. Start by verifying that the URL starts with 'HTTPS' and not 'HTTP' (this has been mentioned before).
However, not all HTTPS is the same. Many sites (even banks I deal with) do use security but are slow to keep up with the state-of-the-art.
An easy way to find out how good their tech is using the Chrome browser is to look at the lock icon just before the 'https' on the address line https://support.google.com/chrome/answer/95617?hl=en
(Firefox has something similar - https://support.mozilla.org/en-US/kb...tion-is-secure
). There are a number of different icons I have seen and you can click on the icon to get a report of the quality of the security. A 'lock' with a solid green body is best - this means the latest tech is in place and that your session is secure against all but an NSA-level attack. If the lock has a yellow triangle, it is still OK (would need significant effort to crack a session - a brute-force attack would probably take longer than the sensitivity lifetime of the data) but should be updated - let the site's admin know. If the lock has a red X and the 'https' is struck out with a red line, its garbage and should not be used for sensitive information.
If I have either the green or orange triangle I will go ahead and use the site over WiFi. It really doesn't matter to me how compromised the WiFi access point is because as long as your device is not compromised, the data packets (payload) are encrypted end-to-end and I don't care how many of those a hacker can grab. It doesn't matter that the headers can be read from a compromised access point - there's no sensitive information there (unless you consider your metadata super-secret too - in which case, what are you doing using a computer or a phone now?).
The thing about HTTPS security is that each time you access the site, a fresh session key is negotiated using slow-but-good public-key cryptography. That session key is then used for a fast-but-not-as-good encryption of the bulk data for that session only
. The 'fast-but-not-as-good' encryption is generally accepted to be good enough because the duration of the session is going to be short enough that not enough data will be exchanged using it to facilitate a reasonable attack.
2015 Rockwood Signature UltraLite 8282WS Platinum, GY Marathon LRD, TST 507RV TPMS
2005 GMC 2500HD CCSB D/A, Curt E16, Prodigy P2, Garmin RV760LMT w/BC-20 b/u cam