Annoying that they didn't actually provide anything useful that could help us all avoid this (fairly obvious IMHO) exploit.<p>This basically applies to <i>any</i> Wi-Fi hotspot where you first are redirected to a web page to sign in (called a "Captive Portal") rather than keying in a password or key before connection.<p>When you connect in this way there is nothing you can do to stop an attacker sitting elsewhere in the room hoovering up all your traffic and looking at it. Application layer security such as HTTPS and VPNs notwithstanding of course.<p>Based on a OMA WISPr standard. Version 1 doesn't support encryption but a second version with encryption was mooted but blocked by some patent activities.<p>The only way to have a secure Wi-Fi connection is to either have a pre-shared key (which is the other most common approach) or to use one of the WPA2 EAP protocols.