if
Setup fake hotspot with believable name. Check (although you forgot the de-auth packet flood to disconnect everyone on those other APs).
Poison the responses from DNS. Check
Obtain a SSL certificate for natwest.com
Yeah, no. Obtaining a fake certificate isn't completely impossible because CAs have and probably will in the future make mistakes. Some guy ended up with a github certificate a few months back due to a CA stuff up. But CAs have been distrusted for giving out fakes (Google diginotar). We have also seen the likes of Lenovo and Dell installing themselves as certificate authorities, and I believe in the Dell case this could have been used to sign a fake server.
Far more likely is someone registering natvvest.com and getting a legitimate certificate for that domain. Of course it natwest used* HSTS then the redirect page wouldn't be trusted by your browser. (A 302 is needed because the browser is expecting a certificate owned by natwest.com not natvvest.com. If the original request is http, it can be intercepted and responded to redirect your browser to the new domain)
The actual problem with https is that an observer can correlate who you are talking to and the response size and infer what you are doing. The Facebook image on this article is 13282 bytes. How many other el reg resources are exactly that size?
Tl;dr - https doesn't give you perfect security, but it is inarguably better than http.
*They may well. I didn't check.
Biting the hand that feeds IT
