Is Public WiFi Safe? How to Protect Yourself
Public WiFi isn't as dangerous as it was in 2010 — HTTPS has encrypted most web traffic by default. But the risks aren't zero, especially for unencrypted apps, email clients, and anything connecting in the background. A VPN eliminates the remaining risks. Here's what's actually at stake.
What's actually at risk on public WiFi
Most websites use HTTPS now, which encrypts the content of your traffic even on public WiFi. But several attack vectors remain:
- Evil twin attacks: A malicious hotspot mimics a legitimate network name (e.g., 'Starbucks WiFi'). Your device auto-connects, and the attacker intercepts all traffic — including HTTPS in a man-in-the-middle setup if they can get you to accept a fake certificate.
- Unencrypted apps: Email apps, chat clients, and older apps sometimes send data unencrypted. Anyone on the same network can read it.
- Network sniffing: On open WiFi, traffic is broadcast to everyone on the network. Unencrypted traffic (HTTP, some UDP protocols) can be captured.
- Session hijacking: Attackers can steal session cookies from unencrypted HTTP connections, letting them impersonate you on websites.
- DNS hijacking: The WiFi network's DNS server can redirect your requests — sending you to phishing sites even when you type the correct URL.
What's NOT actually at risk (on most sites)
With HTTPS (the padlock in your browser), the content of your web traffic is encrypted even on public WiFi. An attacker can see that you're visiting google.com but not what you searched for. Modern browsers refuse to load HTTP sites by default. Most risk comes from non-browser internet connections.
How a VPN protects you on public WiFi
A VPN encrypts all your traffic — including traffic from apps, email clients, game servers, and background services — before it leaves your device. Even on a compromised network, an attacker sees only encrypted data going to a VPN server. DNS queries are routed through the VPN, preventing DNS hijacking.
- Encrypts all traffic, not just browser traffic
- Prevents DNS hijacking by routing queries through VPN servers
- Hides your IP from the network and other connected users
- Kill switch prevents unencrypted traffic if VPN drops
Other practical protections (with or without VPN)
- Check for HTTPS: Only submit sensitive information (passwords, payment details) on HTTPS sites
- Enable firewall: Your device's built-in firewall blocks unsolicited incoming connections
- Disable auto-connect: Turn off automatic connection to open WiFi networks
- Use 2FA: Even if a password is captured, 2FA prevents login
- Avoid sensitive transactions: Don't do banking on public WiFi without a VPN
- Mobile data as alternative: Your cellular data connection is encrypted by the carrier — often safer than public WiFi
Frequently asked questions
Is hotel WiFi safe?
Hotel WiFi is a shared network — often poorly secured. The same risks as any public WiFi apply: other guests, and potentially hotel staff, can potentially intercept unencrypted traffic. Always use a VPN on hotel WiFi, especially for work-related activities.
Can airports see what I'm doing on their WiFi?
The airport network operator can see unencrypted DNS queries and unencrypted traffic. With HTTPS, they can see which domains you visit but not the content. A VPN encrypts even that information.
Is it safe to do banking on public WiFi?
Banking websites use HTTPS, which encrypts your login and transaction data. The specific act of banking is fairly safe on public WiFi in 2026 — but a VPN eliminates the residual risks (evil twin attacks, DNS hijacking, and traffic analysis).