This guy has it right (mostly). The entire point of HTTPS is that you can use public connections and still have secure communication. As long as your OS is good, your root certificates haven't been compromised, and the URL is known and trusted, then there is no way to introduce a man-in-the-middle type of attack.

Human Factors
The validity of the URL is usually established using a relatively new HTTPS security standard that provides some sort of visual indication of the level of trust established for a particular website. If you go to https://www.chase.com you will see a large green bar or indicator on your browsers that says something to the effect of JP Morgan Chase. These certificates are difficult to obtain from the certificate authority. A scammer/hacker will not be able to get these. Make yourself aware of the icon and you will be protected (mostly).


However, there are a few caveats:
-There was an iphone bug that disabled root-certificate validations.
-The indicators may not be obvious, you may not remember them
-The NSA may compromise root certificates and issue false certificates (rare, difficult to defend against anyway with protected access points).