The Real Risks of Public WiFi

Public WiFi networks — at airports, coffee shops, hotels, libraries, and restaurants — are convenient but inherently less secure than your home network. The fundamental issue is that you share the network with strangers, and in many cases, the network itself is unencrypted (open, with no password).

However, the public WiFi threat is often exaggerated by VPN marketing. The reality in 2026 is more nuanced than "public WiFi is dangerous, period." Let's separate genuine risks from marketing fear:

Genuine risks:

• Network sniffing on unencrypted networks. On an open (no-password) WiFi network, any device can capture broadcast traffic. If you're sending data over an unencrypted protocol, it's visible to other users.
• Evil twin attacks. An attacker creates a fake WiFi access point with a name matching the legitimate one. You connect to the attacker's network instead of the real one.
• DNS spoofing. Malicious network operators can redirect your DNS queries to serve fake versions of websites.
• Captive portal dangers. The login page you see when connecting could be fake or could inject tracking/malware.
• Session hijacking (on unencrypted connections). If a website uses HTTP (not HTTPS), an attacker on the same network can steal your session cookie.

Overstated risks:

• Reading your encrypted traffic. If you're using HTTPS (and you almost always are in 2026), an attacker on the network cannot read the content of your connections. HTTPS protects the data between your device and the website's server.
• Hacking your device through WiFi. Simply connecting to a WiFi network doesn't expose your device to hacking unless you have vulnerable services running (which modern OSes don't by default).

What HTTPS Already Protects

The most important fact about public WiFi security in 2026: the vast majority of your internet traffic is already encrypted by HTTPS.

As of 2026, over 95% of web traffic uses HTTPS (up from ~30% in 2015). When you connect to a website over HTTPS:

• Your data is encrypted between your device and the website's server using TLS. An eavesdropper on the network sees encrypted gibberish.
• The server's identity is verified through certificates. Your browser will warn you if the certificate doesn't match or is invalid (indicating a possible man-in-the-middle attack).
• Data integrity is guaranteed. The encryption prevents tampering — an attacker can't modify the data in transit.

What HTTPS does NOT hide from the network:

• DNS queries (which domain you're visiting) — unless you use encrypted DNS (DoH/DoT)
• The IP addresses you connect to — an observer knows you're connecting to Netflix's servers even if they can't see what you're watching
• Connection metadata — timing, data volume, and frequency of connections

For most everyday activities — banking, email, social media, shopping, streaming — HTTPS provides strong protection even on public WiFi. The attacker on the coffee shop network cannot read your bank password, see your emails, or access your streaming account.

Evil Twin Attacks

The evil twin attack is the most practical threat on public WiFi. An attacker sets up a fake access point that mimics the legitimate network:

How it works:

1. You're at "CoffeeHouse" and look for their WiFi
2. You see two networks: "CoffeeHouse_WiFi" (the real one) and "CoffeeHouse_WiFi" (the attacker's)
3. The attacker's signal may be stronger (they're sitting closer to you), so your device connects to it
4. All your traffic now flows through the attacker's device
5. The attacker forwards your traffic to the real network (so you still have internet access and don't notice anything wrong)
6. As a man-in-the-middle, the attacker can log your DNS queries, see which sites you visit, and attempt to intercept unencrypted traffic

What the attacker can do with an evil twin:

• See which websites you visit (via DNS queries and connection metadata)
• Intercept any HTTP (non-HTTPS) traffic in plaintext
• Present fake captive portals that harvest credentials
• Attempt SSL stripping (downgrading HTTPS to HTTP) — though modern browsers and HSTS make this increasingly difficult
• Serve fake DNS responses, redirecting you to phishing versions of websites (more effective if you ignore certificate warnings)

What the attacker CANNOT do (if you use HTTPS and don't ignore warnings):

• Read your encrypted (HTTPS) traffic
• Access your accounts on properly configured HTTPS websites
• Intercept end-to-end encrypted messages (Signal, WhatsApp)
• Read VPN tunnel traffic

Protection:

• Forget and re-verify networks — don't auto-connect to familiar-sounding networks
• Use a VPN (encrypts all traffic, including DNS, from your device to the VPN server)
• Enable encrypted DNS (DoH/DoT) to prevent DNS-based attacks
• Never ignore browser certificate warnings — they may indicate an active attack

Captive Portal Risks

Captive portals are the login or agreement pages displayed when you first connect to public WiFi ("Accept terms of service" or "Enter room number and last name"). They have inherent security issues:

Data collection. Many captive portals require an email address, phone number, or social media login. This data is collected by the WiFi provider (or their marketing partner) and often used for tracking and advertising.

Unencrypted login pages. Some captive portals use HTTP instead of HTTPS, meaning any credentials you enter could be visible to network eavesdroppers.

Fake captive portals. In an evil twin attack, the attacker can present any page they want as the "captive portal." This could be a convincing Google or Facebook login page designed to harvest your credentials.

Malicious content injection. Some captive portals inject JavaScript, tracking beacons, or advertisements into your browsing session even after you've logged in.

Protection against captive portal risks:

• Use a throwaway email for captive portal registrations — not your primary email
• Never enter important passwords into a captive portal page
• Avoid "Log in with Facebook/Google" options on captive portals — these grant access to your account information
• Use a VPN immediately after connecting to encrypt all subsequent traffic
• If possible, use cellular data instead of WiFi that requires portal authentication

Practical Protection Steps

Here are the steps that actually matter for public WiFi security, ranked by importance:

1. Verify HTTPS on sensitive sites. Before entering any credentials or sensitive information, confirm the padlock icon and "https://" in the URL bar. Every major service uses HTTPS by default in 2026, but verify anyway.

2. Never ignore certificate warnings. If your browser warns that a site's certificate is invalid or untrusted while you're on public WiFi, do not proceed. This could indicate an active man-in-the-middle attack. Close the tab and access the site later on a trusted network.

3. Enable encrypted DNS. Configure DNS-over-HTTPS (DoH) in your browser or at the operating system level:

• Firefox: Settings → Privacy & Security → Enable DNS over HTTPS → Cloudflare
• Chrome: Settings → Privacy and Security → Use secure DNS → Cloudflare/Google
• Windows 11: Settings → Network → DNS → Encrypted (HTTPS)
• iOS/Android: System settings or use Cloudflare's 1.1.1.1 app

4. Disable file sharing and AirDrop. On public networks, turn off network file sharing, printer sharing, and AirDrop/Nearby Share. These features are designed for trusted networks and can expose your device to others.

5. Use your OS firewall's "Public" profile. Both Windows and macOS have network profiles that automatically apply stricter firewall rules for untrusted networks. Mark public WiFi networks as "Public" (not "Home" or "Private").

6. Turn off auto-connect to known networks. Your device may automatically connect to networks with familiar names. An attacker can create a network named "Starbucks WiFi" that your phone auto-connects to. Disable auto-connect for public networks.

Using a VPN on Public WiFi

A VPN provides meaningful additional protection on public WiFi:

What a VPN adds to public WiFi security:

• Encrypts all traffic (including DNS and non-HTTPS traffic) between your device and the VPN server
• Prevents the local network (including evil twins and rogue operators) from seeing any of your traffic
• Defeats DNS spoofing attacks since DNS queries go through the encrypted tunnel
• Prevents traffic analysis — the network operator can't see which sites you visit or how much data you exchange with each

VPN limitations on public WiFi:

• Doesn't protect against phishing (malicious links you click still work)
• Doesn't protect against malware on your device
• The VPN connection must be established after connecting to WiFi — there's a brief window before the VPN connects
• Captive portals may not work while a VPN is active (you may need to connect to the portal first, then activate the VPN)

Practical VPN usage on public WiFi:

1. Connect to the WiFi network
2. If there's a captive portal, complete the login
3. Immediately activate your VPN
4. Verify the VPN is connected before accessing sensitive services
5. Keep the VPN active for the duration of your session

For VPN recommendations and detailed guidance, see our VPN guide.

When to Use Mobile Hotspot Instead

Sometimes the best public WiFi security is not using public WiFi at all.

Your phone's mobile hotspot (personal hotspot / tethering) provides a private, encrypted connection that avoids all public WiFi risks:

Advantages of mobile hotspot:

• You control the network — no evil twins, no rogue operators
• WPA2/WPA3 encryption between your laptop and phone
• Cellular data connection is encrypted by the carrier
• No captive portals or data collection
• No other users on your network

When to prefer mobile hotspot over public WiFi:

• Accessing banking, financial services, or investment platforms
• Working with sensitive business documents
• When the public WiFi requires excessive personal information
• In high-risk environments (conferences, airports in certain countries)
• When your data plan can accommodate the usage

When public WiFi is fine (with precautions):

• General browsing and reading
• Streaming media (uses a lot of data on hotspot)
• Accessing HTTPS-encrypted services where you trust the certificate
• Any activity where a VPN is active

Public WiFi Safety Checklist

Before connecting to public WiFi, run through this quick checklist:

Before connecting:

• Verify the network name with staff (don't guess which is the "real" network)
• Forget any previously saved public networks to prevent auto-connect
• Enable your OS firewall's "Public" profile
• Turn off file sharing, AirDrop, and Bluetooth discoverability
• Use a strong password on your device (in case of over-the-shoulder snooping)

After connecting:

• Complete any captive portal login with minimal information
• Activate your VPN immediately
• Enable encrypted DNS if not already configured
• Verify HTTPS on any site before entering credentials

During your session:

• Never ignore certificate warnings
• Don't access financial services without a VPN (or use mobile hotspot instead)
• Be aware of shoulder surfers — use a privacy screen if available
• Don't leave your device unattended and unlocked

After disconnecting:

• Forget the network (prevents future auto-connect)
• If you entered credentials on any site, verify your account activity later from a trusted network
• Log out of any services you logged into during the session

For maximum security, use unique passwords for every account, generated with our password generator, so that even if one credential is compromised, your other accounts remain safe.

---

Public WiFi security anxiety is often more about marketing than reality — HTTPS protects the vast majority of your traffic even on open networks. But the remaining risks are real: evil twin attacks, DNS manipulation, and captive portal exploitation deserve attention. A layered approach — HTTPS awareness, encrypted DNS, a VPN, and common sense — lets you use public WiFi confidently without unnecessary fear.