BreachExpress

Cybersecurity, explained for the rest of us.

VPN & Privacy

Public WiFi Safety in 2026: Separating Real Risks from Security Theater

Margot 'Magic' Thorne@magicthorneMay 3, 202611 min read
Laptop open on cafe table with WiFi symbol and security icons overlaid

The advice you've heard about public WiFi falls into two camps. One camp says never use it under any circumstances, that coffee shop WiFi is a hacker's playground where your bank account empties the moment you connect. The other camp says the whole threat is overblown, that HTTPS fixed everything, that you're worrying about a problem from 2012.

Both camps are wrong, but the second camp is closer to right.

Public WiFi in 2026 is not the universal danger it was when the warnings started. The web moved to encrypted connections. Browsers got smarter about warning you when something's wrong. The attacks that used to work against casual traffic don't work anymore, at least not the way they used to. But the attacks that remain are specific, and they're serious if you're in their path.

Here's what actually matters when you connect to a network you don't control.

HTTPS Changed the Threat Model, But It Didn't Eliminate It

A decade ago, most web traffic traveled unencrypted. When you logged into your email at a coffee shop, your username and password crossed the network in plain text. Anyone with basic packet-sniffing tools could read them. The attack was called session hijacking, and it worked because the web wasn't built with hostile networks in mind.

That's mostly over. The EFF's push for encrypted web traffic succeeded. Around 95% of web traffic now uses HTTPS, which means the connection between your browser and the website is encrypted before it leaves your device. Someone watching the network sees encrypted gibberish, not your login credentials.

This is the reason the second camp exists. HTTPS does protect you on public WiFi, and it protects you well. If you're browsing news sites, checking email through a webmail interface, or scrolling social media, the encryption happens automatically. The network operator can see that you're visiting gmail.com, but they can't see your password, your email content, or which messages you're reading.

But HTTPS doesn't protect you from everything, and the gaps matter.

First, not every connection is HTTPS. Some sites still serve content over unencrypted HTTP, either because they're old and unmaintained or because the site operator doesn't care. Some mobile apps use HTTP for parts of their communication, especially apps that haven't been updated in years. If you're using an app that talks to its servers over HTTP, someone on the network can see that traffic.

Second, HTTPS protects the content of your traffic, but it doesn't hide which sites you're visiting. The network operator can see the domain names in your DNS requests and the server names in your TLS handshakes. They know you visited gmail.com, reddit.com, and your bank's website, even if they can't see what you did there. For most people in most situations, that's fine. For some people in some situations, it's not.

Third, HTTPS assumes the site you're connecting to is the real site. If an attacker tricks you into connecting to a fake network and then serves you a fake login page that looks like your bank, HTTPS encrypts your connection to the fake page. You're securely transmitting your credentials to the wrong place. The browser will show warnings if the fake site can't produce a valid certificate, but those warnings depend on you noticing them and understanding what they mean.

Fourth, HTTPS doesn't protect you from attacks that target your device directly. If the network is malicious and your device has an unpatched vulnerability, the attacker can try to exploit it. This is rarer than it used to be, because operating systems and browsers patch vulnerabilities faster now, but it's not gone.

The threat model shifted. It didn't disappear.

The Real Risks Are Malicious Networks and Unencrypted Connections

In The Good Place, the characters spend the first season thinking they're in heaven, only to discover they're in an elaborate simulation designed to torture them. The place looked right, the people seemed helpful, and the assumptions they made based on appearances were exactly wrong.

That's the risk with public WiFi in 2026. The network that says "Coffee Shop Guest WiFi" might be the coffee shop's actual network, or it might be someone's laptop configured to broadcast that name. Your device can't tell the difference. Neither can you, unless you ask the staff and verify.

Once you connect to a malicious network, the operator controls the infrastructure your traffic passes through. They can attempt a range of attacks:

DNS spoofing. When you type a website address, your device asks a DNS server to translate that address into an IP address. The malicious network can answer with the wrong IP, sending you to a fake site. If you're not paying attention to the URL bar and the certificate warnings, you might enter credentials into a page that looks like your bank but isn't.

SSL stripping. Some older attacks try to downgrade your HTTPS connection to HTTP by intercepting the initial request and serving an unencrypted version of the page. Modern browsers resist this, but it can still work if the site doesn't use HSTS (HTTP Strict Transport Security), which forces browsers to use HTTPS.

Captive portal abuse. Many public networks show you a login or terms-of-service page before letting you access the internet. A malicious network can serve a fake captive portal that asks for credentials or payment information, betting that you'll assume it's legitimate because captive portals are normal.

Device exploitation. If your device has an unpatched vulnerability in its network stack or browser, a malicious network can attempt to exploit it. This is the rarest attack, because it requires the attacker to have an exploit that works against your specific device and software version, but it's the one with the highest consequences.

The common thread is that you're trusting the network to behave. Public WiFi asks you to trust infrastructure controlled by someone you don't know, in a place where anyone can set up a transmitter. That's the risk.

VPNs Add a Layer, But They're Not a Universal Solution

A VPN encrypts all your traffic before it leaves your device and routes it through a server you choose. From the perspective of the public WiFi network, your device is sending encrypted data to one destination (the VPN server), and that's all the network can see. The VPN server then forwards your traffic to its real destination.

This solves several problems. It hides which sites you're visiting from the network operator. It protects unencrypted HTTP traffic by wrapping it in the VPN's encryption. It prevents DNS spoofing, because your DNS requests go through the VPN tunnel. It makes SSL stripping much harder, because the attacker would need to break the VPN encryption first.

For these reasons, CISA's guidance on network security includes using a VPN on untrusted networks as a standard precaution. It's a reasonable recommendation.

But a VPN doesn't make public WiFi safe in some absolute sense. It shifts the trust. Instead of trusting the coffee shop's network, you're trusting the VPN provider. If the VPN provider logs your traffic, sells your data, or gets breached, you've traded one risk for another. If the VPN has a vulnerability or misconfiguration, you're still exposed.

A VPN also doesn't protect you from malicious networks that attack your device directly. If the network tries to exploit a vulnerability in your operating system before the VPN connection establishes, the VPN won't help. If you connect to a fake network and enter credentials into a phishing page before the VPN is active, the VPN won't stop that.

The value of a VPN on public WiFi is that it raises the difficulty level for most attacks. It's harder to intercept your traffic, harder to see where you're going, harder to serve you fake pages. It's not a guarantee, but it's useful insurance.

If you're going to use a VPN on public WiFi, choose one with a clear no-logs policy, strong encryption, and a reputation that holds up under scrutiny. I've written about how VPNs work and what they protect in more detail elsewhere. The short version is that a VPN is only as trustworthy as the company running it, so pick carefully.

NordVPN is one option that meets those criteria, with a clear logging policy, modern encryption standards, and a feature that auto-connects when you join an untrusted network. We earn a commission on purchases through this link, at no extra cost to you.

What You Should Actually Do on Public WiFi

The practical advice is less dramatic than the warnings suggest, but it's specific.

Verify the network name with staff. Don't assume the network called "Airport WiFi" is the airport's network. Ask. If you can't verify, don't connect.

Turn off auto-connect. Your device will automatically join networks it recognizes by name. An attacker can create a network with the same name as your home or office WiFi, and your device will connect without asking. Disable auto-connect in your WiFi settings.

Check for HTTPS. Before entering credentials or payment information, verify that the URL starts with https:// and that the browser shows a lock icon. If the site is HTTP, don't proceed. If the browser shows a certificate warning, don't ignore it.

Use a VPN if you're doing anything sensitive. Banking, work email, accessing files with personal information, these are situations where a VPN is worth the minor inconvenience. It's not required for reading news or checking the weather.

Keep your software updated. Most device exploits target known vulnerabilities that have patches available. If your operating system and apps are current, you're protected against the majority of device-level attacks. If you're running software from 2023, you're not.

Avoid unencrypted protocols. Don't use FTP, Telnet, or any other protocol that sends credentials in plain text. If you're not sure whether a protocol is encrypted, assume it's not and use a VPN.

Use two-factor authentication. If an attacker does manage to intercept your password through a phishing page or a compromised connection, 2FA makes that password less useful. They'd need the second factor to access your account. I've written about how 2FA works and which methods to use in another article.

Don't save new WiFi networks as trusted. If your device asks whether to remember a public network, say no. You don't want your phone automatically connecting to "Starbucks WiFi" every time it sees a network with that name.

These steps don't eliminate risk. They reduce it to a level where the convenience of public WiFi is worth the remaining exposure for most people in most situations.

The Threat You're Not Thinking About: Malicious Hotspots That Mimic Legitimate Ones

The attack that keeps security professionals awake is the evil twin. Someone sets up a WiFi hotspot with the same name as a legitimate network, often with a stronger signal. Your device connects automatically, or you choose it because it has more bars. You're now on an attacker's network, and everything you do passes through their equipment.

This attack works because WiFi network names aren't authenticated. Anyone can broadcast any name. Your device can't tell the difference between the real "Hotel Guest WiFi" and a laptop in the parking lot broadcasting the same name.

The evil twin attack is effective because it exploits your assumptions. You assume the network is legitimate because the name matches and you're in the right location. You assume the captive portal is real because captive portals are normal. You assume the login page is real because it looks right.

The defense is verification. Ask staff for the correct network name. Check the URL before entering credentials. Notice when the browser shows warnings. Use a VPN so that even if you connect to a malicious network, your traffic is encrypted before it reaches the attacker.

The evil twin attack is harder to execute than it used to be, because browsers and operating systems have gotten better at detecting suspicious behavior, but it's not gone. It's the attack that still works when everything else is locked down.

Some Contexts Are Higher Risk Than Others

Not all public WiFi carries the same risk. A network at a conference where thousands of security professionals are gathered is more likely to be monitored by someone with skill and tools. A network at a coffee shop in a small town is less likely, but not impossible.

Airports, hotels, and conferences are higher-risk environments because they attract travelers, business users, and people accessing sensitive information. Attackers know this and target these locations. CISA's guidance on securing network infrastructure explicitly calls out travel as a context where additional precautions make sense.

If you're traveling internationally, the risk increases. Some countries have laws that allow government monitoring of network traffic. Some countries have infrastructure that's less secure by default. A VPN is more important in these contexts, both for privacy and for security.

If you're accessing work systems, the risk increases. Corporate networks often have security policies that assume you're on a trusted network. If you're on public WiFi and you're accessing internal systems, you're bypassing those assumptions. Use a VPN, or better, use your employer's VPN if they provide one.

If you're doing something that would be valuable to an attacker, filing taxes, accessing health records, managing investments, the risk increases. These are situations where the inconvenience of waiting until you're on a trusted network is worth it.

Context matters. Public WiFi at a coffee shop while you're reading news is low risk. Public WiFi at an airport while you're accessing your bank account is higher risk. Adjust your behavior accordingly.

The Overblown Threat: Casual Eavesdropping on HTTPS Traffic

The threat that gets the most attention is the one that's least likely to matter in 2026: someone sitting in a coffee shop with Wireshark, capturing your traffic, and reading your emails.

This attack worked a decade ago when most traffic was unencrypted. It doesn't work now, because HTTPS encrypts the content. The attacker can see that you're visiting gmail.com, but they can't see your emails. They can see that you're on reddit.com, but they can't see which subreddits or which posts.

The scenario still appears in articles and videos because it's easy to demonstrate and it looks dramatic. You open Wireshark, you capture packets, you see traffic. But what you see is encrypted, and breaking that encryption is not something that happens in a coffee shop with off-the-shelf tools.

The real attacks are more targeted. They involve malicious networks, fake login pages, or device exploits. They require more setup and more skill. They're less common, but when they happen, they're more consequential.

The reason to care about public WiFi security in 2026 is not that someone might read your emails over your shoulder. It's that someone might trick you into connecting to their network and then serve you a fake page that looks like your bank. It's that someone might exploit an unpatched vulnerability in your device. It's that someone might log which sites you visit and sell that data.

These are real risks, but they're not the risks the warnings describe.

What's Changed Since the Warnings Started

The warnings about public WiFi started around 2010, when unencrypted HTTP was the default and session hijacking was easy. The advice was sound at the time: don't use public WiFi for anything important, because the network is hostile and your traffic is visible.

That advice is now outdated, but it persists because it's simple and because updating it requires nuance. "Never use public WiFi" is easier to remember than "use public WiFi with HTTPS and a VPN for sensitive tasks, verify the network name, keep your software updated, and turn off auto-connect."

What's changed:

HTTPS became the default. Browsers now warn you when a site uses HTTP. Many sites use HSTS to force HTTPS. The percentage of encrypted traffic went from around 50% in 2016 to over 95% in 2026.

Browsers got smarter. Certificate warnings are clearer. Browsers block mixed content (HTTPS pages loading HTTP resources). Browsers warn you when a site's certificate doesn't match its domain.

Operating systems improved. Automatic updates are now the default on most platforms. Vulnerabilities get patched faster. Network stacks are more resistant to attacks.

VPNs became accessible. A decade ago, VPNs were niche tools for technical users. Now they're consumer products with one-click setup. The barrier to using a VPN dropped.

Attackers adapted. The easy attacks stopped working, so attackers moved to harder attacks. Malicious networks, phishing pages, and device exploits require more effort, but they're still viable.

The threat didn't disappear. It evolved. The defenses evolved with it. The gap between the threat and the defenses is narrower now, but it's not closed.

You're Trading Convenience for a Specific Risk Profile

The question isn't whether public WiFi is safe in some absolute sense. The question is whether the risk is acceptable for what you're doing.

If you're reading news, checking the weather, or browsing social media, the risk is low enough that most people accept it without thinking. If you're logging into your bank, filing taxes, or accessing health records, the risk is higher, and the convenience is less worth it.

The decision is yours. The tools exist to reduce the risk, HTTPS, VPNs, software updates, verification. Whether you use them depends on your threat model, your tolerance for inconvenience, and your assessment of what you're protecting.

Public WiFi in 2026 is not the universal danger the warnings suggest. It's also not perfectly safe. It's a tool with a specific risk profile, and you can use it intelligently if you understand what that profile looks like.

The VPN link that adds a layer of protection is back in the VPN section above.

Checklist of public WiFi security measures on smartphone screen
→ Filed under
public wifinetwork securityvpnhttpswifi safetymobile security
ShareXLinkedInFacebook

Frequently asked questions

Most traffic is now encrypted by default through HTTPS, which protects your data even on untrusted networks. The remaining risks involve unencrypted connections, malicious networks that mimic legitimate ones, and attacks that exploit your device directly.
A VPN adds a layer of protection by encrypting all traffic before it leaves your device, which matters for unencrypted connections and prevents network operators from seeing which sites you visit. It's not required for basic browsing on HTTPS sites, but it's useful insurance.
Connecting to a malicious network that mimics a legitimate one. Once connected, attackers can attempt to intercept credentials, serve fake login pages, or exploit device vulnerabilities. The network name alone doesn't guarantee authenticity.
Not if you're using HTTPS and the site implements it correctly. Your login credentials travel encrypted. The risk comes from fake networks serving phishing pages that look like real login forms, or from unencrypted HTTP connections that still exist on some sites.
Yes. Auto-connect to known networks means your device will join any network broadcasting a familiar name. An attacker can create a network called 'Starbucks WiFi' and your phone will connect automatically, giving them a foothold.

You might also like

Traveler working on laptop in airport terminal with public WiFi network list visible on screen
VPN & Privacy

Airport WiFi Safety in 2026: Reality Check on What Actually Matters

Airport WiFi isn't the universal threat security advice suggests. Here's what actually matters when you connect in 2026, what's changed, and what hasn't.

11 min · Margot 'Magic' Thorne · May 14

Laptop open on a coffee shop table with a privacy screen, hands typing, coffee cup beside it
VPN & Privacy

Working from Coffee Shops Securely: A Step-by-Step Guide

Public spaces create specific security risks for remote workers. Here's what to configure, what to skip, and why each step matters when working from coffee shops.

12 min · Margot 'Magic' Thorne · May 13

Abstract visualization of data flowing between browser window and multiple server nodes
VPN & Privacy

How Online Tracking Actually Works: The Mechanism Behind the Surveillance

Websites track you through cookies, fingerprints, and pixels. Here's the technical mechanism, what gets collected, and how tracking follows you across the web.

12 min · Margot 'Magic' Thorne · May 12