I saw many hotels use unencrypted wifi and then expect you to type in a wifi password over HTTPS. All HTTPS website requests are captured, and you get an "untrusted certificate" warning and HTTP websites redirect to the correct https one.
Aside from not having HTTP data encrypted, as I would in WPA2 and the risk of getting people used to making exceptions in HTTPS certificates, does this scheme create any other risks one should be aware of?
As Julian said, the lack of HTTPS allows for man-in-the-middle attacks. He also mentioned access point spoofing, which are relatively common, especially in certain countries.
I'm of the opinion that authentication is the least of your worries.
Without properly-implemented https, a man-in-the-middle attack - which can be performed by a state-level actor (think Chinese government, GCHQ, or the NSA) - or anyone with access to the network you're connecting to - attackers can inject malicious payloads into the website in question. All of your traffic can be snooped and replaced with malicious content.
Imagine you request jQuery.js, but the website in question serves you jQuery-hacked.js. This hacked version of jQuery ends up doing everything normally, but also provides an additional feature: it loads malicious javascript which you wouldn't normally be receiving, which introduces a vulnerability or ten.
Even worse, since websites can check to see whether or not you have a Flash installed and running, along with it's version, there could be an injection of a malicious, albeit invisible Flash plugin into your webpage. I've experienced this attack in several places abroad.
At that point, it would not matter if you were behind seven proxies. Once remote code execution happens, or they use Flash to poll your unique hardware information, you're screwed.
Since this is a website about information security, and a lot of things we do here at our jobs include keeping information secure, then you should be aware of what can happen, and also take the necessary steps to avoid an information breach.
You'd do well to avoid all open WiFis (including hotels) unless you don't care about the device and it's contents. I personally use unsecured WiFi all the time simply because I don't care about the devices or it's contents, and also because I intend to study the spooky action going on behind the scenes.
Here's what I'd do if I had to protect sensitive information such as protected health information, personal information (customer data), or even government secrets:
The lack of an encrypted WiFi connection is sadly still common and it leaves you open to man-in-the-middle (MITM) attacks, Access Point spoofing/hijacking and similar attacks.
Certificate warnings should never be ignored as they can be a symptom of a MITM attack. However, it could simply be that the WiFi access point is configured with either a self-signed or an expired certificate or a certificate that was purchased under a slightly different domain name.
You should assume that all open Wifi using captive portal (the ones that direct you to a web page to sign in) are insecure and treat accordingly.
Never connect to ANY public WiFi without ensuring that your Windows Firewall is correctly configured and that you have sensible protection in place.
Preferably use a good VPN solution, especially one that deals directly with the captive portal page so that you don't have to use your normal browser for the initial handshake.
Alternatively, it is often simpler and more secure to use a phone as a data tether. If you have a reasonable 4G data plan, this is often faster than hotel WiFi anyway.
