Tips for Using Public Wi-Fi Networks

If you connect to a Wi-Fi network, and send information through websites or mobile apps, it might be accessed by someone else.

To protect your information when using [non-secure unencrypted public] wireless hotspots,
(1) send information only to sites that are fully encrypted, and
(2) avoid using mobile apps that require personal or financial information.

So, for me, avoid checking roadrunner email at coffee shops, libraries, airports, hotels, universities, and other public places.  In HK, use secure gov wifi, avoid checking the email at HK airport.
And don't use CapitalOne360 or other apps over those public hotspots; use it at my home Wi-Fi is OK because it is WPA2.

"When you’re using wireless networks, it’s best to send personal information only if it’s encrypted — either by an encrypted website or a secure Wi-Fi network. An encrypted website protects only the information you send to and from that site. A secure wireless network encrypts all the information you send using that network."

"Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, your entire account could be vulnerable. Look for https on every page you visit, not just when you sign in."

What About Mobile Apps?

Unlike websites, mobile apps don’t have a visible indicator like https. Researchers have found that many mobile apps don’t encrypt information properly, so it’s a bad idea to use certain types of mobile apps on unsecured Wi-Fi. If you plan to use a mobile app to conduct sensitive transactions — like filing your taxes, shopping with a credit card, or accessing your bank account ­— use a secure wireless network or your phone’s data network (often referred to as 3G or 4G). 

If you must use an unsecured wireless network for transactions, use the company’s mobile website — where you can check for the https at the start of the web address — rather than the company’s mobile app.



So, my conclusion:
(1) use secure Wi-Fi network: a) my NYC home; b) HK secure gov wifi.  How about Time Warner Wi-Fi?
(2) use my phone's data network (any G, how about 2G?) . 
(3) use https.  But remind this: protects only the information you send to and from that site. If there is other underlying traffic (by AJAX or others) using HTTP to send information to other sites, it is not protected.
"Gmail is safe because it uses HTTPS for the whole session, but Facebook and many other sites do not." (Jan. 2011)
More:
when accessed via HTTPS, many sites will only carry out the authentication step over HTTPS, and then drop back to HTTP for the rest of the session. So, your password itself is safe, but the session ID used by the server to identify you for that session is transmitted in the clear by your browser. This reduces the load on the web server (because encryption/decryption is CPU-intensive) but makes the site much less secure. 

This is how tools such as Firesheep are able to hijack users' accounts when an attacker is sharing an unencrypted wireless network.
You can protect yourself from this attack by either using a VPN to encrypt all session data, or by only using networks which have strong, per-user encryption such as WPA-PSK (WEP uses the same key for every user, and so does not offer protection from this attack).  (Jan. 2011)

(4) avoid using mobile apps that require personal or financial information because we don't know how the apps handle Internet traffic (through Wi-Fi or data network?  If using Wi-Fi, encrypt information or not? And is the encryption strong enough? Encrypted properly?)  But I think WhatsApp is OK.  So no need to avoid using WhatsApp at HK airport.

(5) use paid (don't use free) VPN:

If you regularly access online accounts through Wi-Fi hotspots, use a virtual private network (VPN). VPNs encrypt traffic between your computer and the internet, even on unsecured networks. You can get a personal VPN account from a VPN service provider. In addition, some organizations create VPNs to provide secure, remote access for their employees. What’s more, VPN options are available for mobile devices; they can encrypt information you send through mobile apps.

"some VPN services, especially "free" ones, can actually violate their users' privacy by logging their usage and making it available without their consent, or make money by selling the user's bandwidth to other users."   wiki

"As long as it's certificate based and it gives you a warning if the certificate doesn't match src

(6)

Installing browser add-ons or plug-ins can help. For example, Force-TLS and HTTPS-Everywhere are free Firefox add-ons that force the browser to use encryption on popular websites that usually aren't encrypted. They don’t protect you on all websites — look for https in the URL to know a site is secure.

 

Resource:

https://www.consumer.ftc.gov/articles/0014-tips-using-public-wi-fi-networks  

wiki 

Is visiting HTTPS websites on a public hotspot secure?    mirror