From what I've read, using https:// is safe. Is this true for networks set up for malicious purposes?
If done right https is still safe. But, if you (actively) accept any kind of untrusted certificate (self-signed or signed by unknown CA) an active man-in-the-middle attack is possible. If the attacker owns a public root-CA or some intermediate CA or managed to issue specific certificates it is even possible to mount such attack without needing the victim to actively accept the spoofed certificates. While this is unlikely it was actually done.
If you are connecting to a site which uses public key pinning or certificate pinning (like access to google.com
from Google Chrome) you are still safe in this case, but only for accessing these specific sites.
If the attacker instead managed to steal some high value certificate or issue such certificate for sites not protected by pinning, than it is possible to do harm on other sites too, because high-value sites like google-analytics.com
, jquery.com
etc are often included as script into other sites.
If I visit websites where I'm already logged in, and thus don't enter any passwords, can my credentials to these websites be compromised? What about session hijacking?
For HTTPS you should be safe (see above). For plain HTTP it depends a lot on the site. Some sites not only use a random session cookie but also add browser fingerprint into it. This makes session hijacking harder but usually not impossible. Other sites instead let you change the users password or the reset e-mail without asking for the old password. In these cases a permanent takeover of the account is possible.
EDIT to summarize the good comments here: any security collapses when you use unencrypted HTTP (or FTP). From then on sslstrip, script or HTML injection etc make it possible for an attacker to hijack anything. So you better disable HTTP and FTP , which could be done by setting the relevant protocol proxy to something non-existent.