I'll also add random facts that may or may got be factual...

HTTPS only tells you that the data will be encrypted to wherever it is going. If the end URL has been redirected (easily done in a cafe or hotel) or spoofed (slight misspelling for example) then you may end up with a secure connection to an attacker's server. By looking at the encryption certificate from the other end (such as a padlock, key, etc on the address bar) you can see who it was issued to and by. Typically you want something like British Airways and Verisign. Verisign and other trusted root parties are usually known by the browser and will get a green light. Red bits mean something is wrong. And check it isn't British Airlines, British Airwares, etc that were set up for a scam and went and got a valid certificate for themselves.