Why public Wi-Fi is dangerous
Public Wi-Fi networks share one fundamental characteristic: every device connected to the same network can potentially see traffic from every other device on that network. On a private home network, you're the only user. On a coffee shop network with 30 people connected, any one of those 30 people could be running tools to inspect network traffic.
Most public hotspots have no form of network isolation between clients. Your laptop and a stranger's laptop are effectively on the same local network segment. With freely available tools like Wireshark (a legitimate network analysis application), anyone nearby can capture and inspect unencrypted traffic in real time.
The scale of the problem: A 2019 study by Kaspersky found that 25% of public Wi-Fi hotspots worldwide use no encryption at all. Even networks that use WPA2 password protection share the same encryption key with all users — meaning other users on the same network can still decrypt each other's traffic.
Attacks that happen on public Wi-Fi
Man-in-the-Middle (MitM) attacks
In a Man-in-the-Middle attack, an attacker inserts themselves between your device and the internet gateway. Your traffic flows through their machine, which can log, modify, or inject content into it. The attacker uses techniques like ARP poisoning to redirect traffic at the network layer — no special access to the router required.
MitM attacks are more effective than most people expect. While HTTPS encrypts the content of your traffic, a sophisticated MitM can perform SSL stripping — downgrading HTTPS connections to HTTP to read the content — on sites that don't enforce HSTS (HTTP Strict Transport Security).
Evil twin hotspots
An attacker sets up a hotspot with the same name (SSID) as the legitimate network: "Starbucks WiFi", "Airport Free WiFi", "Hotel_Guest". Your device connects to the malicious hotspot instead of the real one, and all your traffic flows through the attacker's router. Because you're connecting to what appears to be the correct network, there's no visual warning.
This attack requires only a laptop and a mobile hotspot. It takes under 5 minutes to set up, and many devices will auto-connect to familiar network names — meaning you might not even notice you've connected to the evil twin.
Packet sniffing
On unsecured Wi-Fi networks (no password, or WEP encryption), an attacker can put their wireless adapter into monitor mode and capture all traffic passing over the network. Free tools like Wireshark make this point-and-click simple. Any unencrypted traffic — HTTP sites, some email protocols, DNS queries — is readable in plaintext.
Session hijacking
Even on HTTPS connections, session cookies are sometimes transmitted in ways that can be captured. If an attacker obtains your session cookie for a logged-in service, they can impersonate you without needing your password. The Firesheep browser extension, released in 2010, demonstrated this attack so publicly that it forced widespread HTTPS adoption — but many services still have vulnerabilities.
Malicious captive portals
The "agree to terms" page that appears when you first connect to public Wi-Fi is a captive portal. A malicious hotspot can use a captive portal to inject a fake software update prompt, capture credentials entered into forms, or serve malicious JavaScript that exploits browser vulnerabilities.
"But I only visit HTTPS sites — am I safe?"
HTTPS significantly raises the difficulty of an attack, but it doesn't eliminate risk on public Wi-Fi. Here's what HTTPS protects and what it doesn't:
| Attack vector | HTTPS alone | HTTPS + VPN |
|---|---|---|
| Reading page content | Protected | Protected |
| DNS queries (domains visited) | Exposed | Protected |
| SSL stripping (HTTP downgrade) | Risk on non-HSTS sites | Protected |
| Evil twin hotspot | Exposed | Protected |
| Packet sniffing | Partial (content only) | Protected |
| Real IP exposure | Exposed | Protected |
The critical gap is DNS. Even when every website you visit uses HTTPS, your DNS queries — which domain names you're looking up — travel in plaintext by default. Anyone sniffing the network can see exactly which websites you're connecting to, even without seeing the page content.
How a VPN protects you on public Wi-Fi
When you connect to a VPN before using public Wi-Fi, all traffic from your device — including DNS queries — is encrypted in a tunnel before it ever reaches the coffee shop's router. From the perspective of anyone monitoring the network, they see only that you're connected to a VPN server. The content, destinations, and even the volume of your traffic are hidden.
Even in an evil twin attack, the attacker intercepts only your encrypted VPN tunnel. Without the encryption keys, the traffic is unreadable. Your real IP address remains hidden. Your DNS queries are handled by the VPN's DNS servers inside the encrypted tunnel.
The VPN's kill switch ensures that if the VPN connection drops momentarily — common on unstable public Wi-Fi — your traffic pauses rather than falling back to the unprotected network.
How to use a VPN on public Wi-Fi (5 minutes)
Other public Wi-Fi safety habits
A VPN handles the biggest risks, but these habits add additional layers of protection:
- Forget the network after use. Your device will otherwise auto-connect to any network with the same name in the future — including evil twin hotspots in different locations.
- Disable Wi-Fi when not in use. Even when you're not actively browsing, your device broadcasts probe requests for known networks. These can be captured to track your movement.
- Use 2FA on important accounts. If credentials are somehow compromised, two-factor authentication prevents account access without the second factor.
- Keep software updated. Many attacks on public Wi-Fi exploit known browser and OS vulnerabilities. Keep your operating system, browser, and apps current.
- Prefer cellular over unknown Wi-Fi. Your phone's mobile data connection is encrypted at the carrier level and far harder to attack than public Wi-Fi. Use it for sensitive tasks when in doubt.
Common questions
Is hotel Wi-Fi safer than coffee shop Wi-Fi?
Not significantly. Hotel networks often have hundreds of guests connected to the same network, and many hotel networks use older hardware with weaker security configurations. Some hotels use a single shared WPA2 password visible to every guest, which provides minimal protection. Treat hotel Wi-Fi with the same caution as any other public network.
Does a VPN slow down public Wi-Fi?
A VPN adds a small overhead — typically 10–20% speed reduction due to encryption. On fast public Wi-Fi (50+ Mbps), you won't notice this. On slow networks (5 Mbps at a busy airport), you may. Using a VPN server in a nearby city minimises latency. The security trade-off is worth it in almost every case.
Can the coffee shop see what I'm doing with a VPN?
No. With a VPN connected, the coffee shop's router sees only that you're sending encrypted traffic to a VPN server's IP address. It cannot see which websites you're visiting, what you're searching for, or any content you're viewing. The connection is opaque to anyone monitoring the local network.
Do I need a VPN on my phone for public Wi-Fi?
Yes. Mobile browsers and apps are just as vulnerable to public Wi-Fi attacks as desktop software. Most major VPN providers offer iOS and Android apps that work identically to their desktop versions. Set your phone to auto-connect to the VPN when joining any network that isn't your home or work network — most apps support this via a "trusted networks" feature.
Protect yourself on public Wi-Fi today
A VPN encrypts everything — browsing, DNS, every app — so public Wi-Fi attacks see only noise. Setup takes under 5 minutes.