It doesn't. Is it possible to do a MITM attack on the person at the neighboring coffee-shop table?
The only way I can think of involves being really clever about timing and being physically between the other wireless client and the AP: create enough interference to prevent their transmission from getting through to the AP right after you read the transmission, then quickly forge a request using the same one-time key.
Of course, if someone has access to the packets upstream from the AP, you're always hosed if you're not using encryption. This certainly isn't meant as a replacement for AES. :)
DNS (the UDP responses are easy to forge) is a great way to do it. You just have to be faster than the real DNS server, which might be tricky if it's local and caching.
For ARP-based attacks you'd presumably announce yourself as the owner of the default gateway's IP address, routing all data through your system.
Hijacking DHCP springs to mind; respond with an address on a completely different subnet, and your system as default gateway. Again, jackpot.
You could also install a rogue wireless access point with the same SSID, which would let you route all traffic through your system. You just need people's devices to pick yours over the real one, which would presumably require yours to have a stronger signal.
All of the above let you install a transparent proxy which gives you complete control over the target's browser's security context.
Interestingly, the rogue access point would even work with WPA(2)-PSK encrypted wifi, if you knew the key.
But that's the part of the connection we are worried about. End to end encryption from the client to the website is needed. I still don't see where your idea comes in. Clearly I'm not understanding something.
