"Never use public Wi-Fi for anything sensitive." You've probably heard some version of this advice. It's been repeated in tech articles, IT departments, and cybersecurity training for over a decade. The problem is that it's based on a threat model from 2012, and the web has changed dramatically since then. The risks of public Wi-Fi are real but widely misunderstood — both overstated in some ways and understated in others.
What changed: HTTPS is now everywhere
In 2012, roughly a quarter of the web used HTTPS. Today, that figure is over 95% for traffic in most developed countries, and the major browsers actively warn users away from non-HTTPS sites. This single change has eliminated the most dramatic attacks that once made public Wi-Fi genuinely dangerous.
HTTPS encrypts the content of every request and response between your browser and the server. Someone sitting at the same coffee shop, intercepting packets off the Wi-Fi network, cannot read your passwords, see your messages, view the content of pages you're loading, or intercept your login sessions — as long as those sites use HTTPS. The padlock in your browser address bar is meaningful protection.
The old attack — called a man-in-the-middle — involved intercepting unencrypted HTTP traffic to steal credentials or inject content. On a modern, HTTPS-dominant web, this attack largely doesn't work anymore.
What attackers can and can't do today
Mostly blocked by HTTPS
- Reading your passwords
- Seeing page content you're viewing
- Intercepting login session cookies
- Injecting malicious content into pages
- Stealing form data you submit
Still possible on public Wi-Fi
- Seeing which domains you connect to
- Evil twin network impersonation
- Captive portal script injection
- Traffic metadata (timing, volume)
- Attacks on non-HTTPS sites
The real threats in detail
DNS visibility. Even on HTTPS sites, DNS queries — the lookups that translate domain names to IP addresses — are often unencrypted. Someone monitoring the network can see a list of every domain you connect to, even if they can't see what you're doing there. They know you visited your bank's website; they just can't see your account details.
Evil twin attacks. This is the most significant remaining threat. An attacker sets up a Wi-Fi access point with the same name (SSID) as a legitimate network — "Starbucks Wi-Fi" or "Airport Free WiFi." Your device may connect automatically if it has connected to a similarly-named network before. Once connected, the attacker controls the network layer: they can redirect you to fake login pages, inject scripts into unencrypted pages, and monitor your unencrypted DNS queries. HTTPS protects the content of your connections but doesn't prevent your device from connecting to the wrong network in the first place.
Captive portals. The login page you see when you first connect to a hotel or airport network is a captive portal. These pages are almost always served over HTTP (no encryption) so your browser can reach them before you've accepted the terms. A compromised or malicious captive portal can serve scripts that affect your browser session. Accepting terms on a captive portal before your VPN connects is a brief window of exposure.
SSL stripping is largely solved. An older attack called SSL stripping could downgrade HTTPS connections to HTTP, exposing credentials. HSTS (HTTP Strict Transport Security) preloading, now built into all major browsers for thousands of sites, prevents this by forcing HTTPS connections at the browser level before any network request is made.
What a VPN actually does on public Wi-Fi
A VPN creates an encrypted tunnel from your device to the VPN server before any other traffic goes out. This addresses several of the remaining risks. Your DNS queries are encrypted and sent through the VPN, so domain lookups are no longer visible to network monitors. Even if you connect to an evil twin network, the attacker sees only encrypted VPN traffic — they can't monitor your DNS lookups or inject anything into your connections. The captive portal window is narrowed, though you'll typically need to connect to the captive portal before activating your VPN.
A VPN on public Wi-Fi is a meaningful practical improvement, but it's worth being clear about what it does and doesn't add. On a modern web, HTTPS was already blocking the most serious attacks. A VPN adds protection primarily for DNS privacy, metadata concealment, and evil twin scenarios.
Practical guidelines
Verify the network name. Before connecting, check with a staff member what the correct Wi-Fi name is. Don't rely on the strongest signal or the most obvious name.
Enable your VPN before doing anything sensitive. Connect to your VPN immediately after joining a network, before visiting any sites. Most VPN apps can be set to connect automatically on untrusted networks.
Check for HTTPS before submitting any data. On any site where you're logging in, entering payment details, or submitting personal information, verify the padlock icon is present. Most major sites enforce this automatically.
Use your phone's mobile hotspot for sensitive tasks. Mobile data bypasses public Wi-Fi entirely. If you need to do online banking, access work systems, or handle genuinely sensitive information while away from home, your phone's 4G/5G hotspot eliminates all public Wi-Fi risks.
Be realistic about the risk level. Reading news, browsing social media, and streaming content on a coffee shop network carries very low actual risk in 2026, especially on HTTPS sites. Logging into your bank on a suspicious network in a high-risk location is a different calculation. Match your precautions to the actual stakes.
The bottom line
Public Wi-Fi is safer than it was a decade ago, largely because HTTPS adoption has eliminated the attacks that once made it genuinely dangerous. The risks that remain — DNS visibility, evil twin attacks, and captive portal exposure — are real but more targeted and less casual. A VPN addresses most of these remaining risks effectively. For most people, the practical advice is: use HTTPS everywhere, enable a VPN on public networks when available, and reserve your phone's hotspot for situations that genuinely require it.