afaik (and from my own experience) that won't work.

  "As long as the universally supported WPA encryption protocol is used,
  each individual user receives their own private “session key” that absolutely 
  prevents eavesdropping between users, even through they are all using the
  same WiFi password."

from: http://steve.grc.com/2010/10/28/instant-hotspot-protection-f...

Yeah, we tested it on our WPA encrypted wireless and didn't get anything. It was seen when I logged into facebook but my coworker wasn't able to login as me. At least not with Firesheep.

Securing the connection layer doesn't matter. With a $10 Wifi card I can create an infrastructure access point called "Starbucks Wifi" or whatever I want that's encrypted with anything (WPA2, WEP, open... doesn't matter). Then when you connect to that, I get all your packets and can steal your session.

Now, sure, this attacks costs me $10 for the wifi card and it's not as fast as connecting to Starbucks' wifi and opening a Firefox tab... but you will still get a lot of data.

Link-level encryption is not the same as session encryption. For your link to be secure, you need link-level encryption. For your session to be secure, you need session-level encryption. It's that simple. Facebook is a session, not a link, so Facebook needs SSL.

There is simply no other workaround.

(And oh yeah, you need to authenticate who you are talking to. The access point asks you for a password to prove that you are allowed to talk to it. But you don't ask it for a password to prove that it is allowed to talk to you. Connecting to an access point is like giving your credit card information to the call that starts like, "Is this jrockway? There's a problem with your credit card...". They know who you are, but you have no idea whether they are actually your bank.)

I have wondered about the same question. Strange, I upvoted your question but it still only has one point.