- This is all mitigated using WPA2 Enterprise since you have end-to-end per-user encryption
The real problem is that WPA lacks a mode suitable for secure public hotspots. Such a mechanism would need to provide
1: a way of verifying with a reasonable degree of certainty that the operator is who they claim to be evern though the user hasn't previously interfacted with them. Likely this means some kind of certification authority. At least the WPA enterprise deployment i've used (eduroam) required the user to manually install a certificate to connect securely.
2: a way of connecting as an "unknown user" with limited connectivity so that the user can go through the steps needed (agreeing to terms and conditions, possiblly providing payment) to request full connectivity.
So in practice wifi hotspots tend to either use unsecure wifi with a "captive portal" for authentication or they use WPA PSK with the password printed on a peice of paper and stuck on the wall.
HTTP STS helps mitigate the damage to some extent but it doesn't solve the underlying problem of the lack of a suitable WPA mode for hotspot operators.