For ultimate security you should disable HTTP in your browser when on untrusted networks. This can often be achieved by setting an invalid proxy address for HTTP traffic (e.g. 127.0.0.1
) and leaving the HTTPS one to directly connect.
This is only really an issue if any of the sites you use are vulnerable to cookie poisoning attacks. See my answer here regarding an example where there is an XSS vulnerability due to the cookie value being reflected. Normally this cookie would be secure because it is only ever browseable over HTTPS. However, as cookies share the same origin over protocols (i.e. the Same Origin Policy for cookies is slightly more relaxed - http
cookies can be read under https
on the same domain), it could be poisoned by a MITM on an untrusted network to exploit the vulnerability.
If disabling HTTP is a step too far (as it would cause many sites to be inaccessible), then always using a VPN would be the way to go.
To avoid any CSRF vulnerabilities on sites you navigate to on an untrusted network you should open each trusted site in a new incognito or private session. This will stop any other websites from forging requests to your trusted site as the cookie will no longer be passed.
The above will also prevent POODLE attacks as a MITM attacker can't "get in the middle" due to HTTP not being enabled *, and also won't be able to include cookies in any cross-site traffic as your logged in session is in its own private session with isolated cookies.
Also note that a bank's website is unlikely to contain vulnerabilities that might loosen security of itself on an untrusted network, the above are really tips to make you more secure on other, more vulnerable sites you may browse on untrusted networks that you may need to log into.
* By "get in the middle" I mean an MITM now cannot intercept a plain HTTP request and use that as the platform to inject HTTPS requests into the POODLE vulnerable site because plain HTTP is now disabled. The attacker would instead need to entice the user to visit the attacker's HTTPS site directly in order to have a platform available to send cross origin AJAX requests to the POODLE vulnerable site.