When you use SSL to secure web sites, attackers are not supposed to be able to see the URLs you are visiting. URLs can reveal what specific content you are looking at. Unfortunately, a new attack that can be used by hotspot operators has been reported:
Take a look at your browser bar right now. It has "https" which means you're secure. And it also has the title of this article. With this attack, a malicious operator of a public hotspot could determine that you are reading this very article. That's supposed to be impossible.