Most public Wi-Fi hotspots use no encryption and hence, communication is not very secure. Using a VPN as discussed here and here solves the issue but very few people are actually aware of the problem and willing to take such measures. So far I thought there is little that can be done from the network side as the WPA Pre-Shared Key (PSK) method is ineffective if everybody uses the same key (password) as network monitoring tools can decode the encrypted traffic if the key is known and the authentication and ciphering dialogue is captured. But then I remembered that the University of Vienna offers secure Wi-Fi Internet access so I checked out how they are doing it.
It turns out that they are using individual EAP password authentication from which a Wi-Fi ciphering key (WPA2, AES) is then calculated. The username and password used in the Wi-Fi authentication process is the student's username and password for the campus network, stored at a central place for all sorts of purposes, including Wi-Fi authentication and encryption. As each student uses individual authentication credentials, monitoring the authentication dialogue will not yield the keys to decode the ciphered traffic later-on. A very elegant solution that just requires support in the Wi-Fi access point for WPA2 enterprise authentication. On the client side, support is already built into the operating system. It's quite clumsy to set-up with Windows XP but with Windows Vista, Windows 7, Linux and Mac OS the configuration is straight forward. It even works with Symbian and Android devices and the iPhone.
The only catch of this solution: The server certificate is not provided, that would have to be done offline, i.e. it's too complicated. That means that the device can't authenticate the network and hence a rouge access point could be used for a man in the middle attack.