Where the fear comes from

Warnings about public Wi-Fi are as old as Wi-Fi itself. And they used to be justified: ten years ago, most websites transmitted data unencrypted. Anyone on the same network could use freely available tools to actually eavesdrop – emails, passwords, search queries. That wasn’t theory; it was a routine demo at security conferences.

Since then, the internet has fundamentally changed. Only the warnings haven’t.

What changed since then: HTTPS

The most important change has five letters: HTTPS. The lock icon in your browser’s address bar means the connection between your device and the website is encrypted – regardless of whether you’re at home, in a hotel or on a train.

And HTTPS is no longer the exception; it’s the norm. According to Google’s Transparency Report, over 95% of all Chrome page loads now use HTTPS. Your bank, your email provider, your favorite news site, your online store – they all encrypt automatically.

That means: even on an open Wi-Fi network, an attacker on the same network cannot simply read your passwords, your emails or your bank details. The encryption happens between your browser and the website’s server – the Wi-Fi in between is just the delivery route, and on that route all an eavesdropper sees is encrypted gibberish.

What an attacker can still see

Does that mean public Wi-Fi is completely risk-free? Not quite. Even with HTTPS, a few things remain visible:

• Which websites you visit – not what you do there, but the fact that you’re connecting to, say, chase.com, nytimes.com or tinder.com. The domain is briefly visible during the connection setup (through DNS queries and the so-called SNI header).
• How much traffic you generate – an attacker could tell whether you’re streaming a movie or just checking email.
• When you’re online – timestamps of your connections.

That’s not access to your data, but it is a glimpse at your browsing habits. Whether that matters to you depends on your personal threat model. For the vast majority of people going about their day: probably not.

The real dangers – and they have little to do with the Wi-Fi

The risks lurking on public Wi-Fi are usually the same ones lurking at home – you just think about them more carefully when you’re at a coffee shop.

Fake networks: An attacker can set up a Wi-Fi network called “Hilton Lobby Free WiFi” that looks just like the real hotel network. Anyone who connects routes all their traffic through the attacker’s device. HTTPS still protects the content here too – but the attacker sees your DNS queries and can try to redirect you to manipulated websites.

Captive portals with a phishing flavor: Some public Wi-Fi networks require you to log in through a web page. Occasionally these ask for more information than necessary – email address, name, room number. That’s less of a technical attack and more of a data-harvesting operation.

Shoulder surfing: The most trivial and at the same time most underestimated danger in a coffee shop is the person at the next table looking at your screen. No VPN in the world helps against that – only a privacy screen on your display or a seat with your back to the wall.

Do I need a VPN at the coffee shop?

Let me be honest here – including about our own VPN article from April. There we wrote that public Wi-Fi networks are “the classic and strongest use case” for a VPN. That’s true in principle – but it deserves some context.

A VPN does add an extra layer of encryption and hides the domains you visit from eavesdroppers on the network. That’s real. But: HTTPS already does the heavy lifting. The contents of your communication – passwords, message text, account details – are encrypted even without a VPN, as long as the website uses HTTPS. What the VPN additionally protects is essentially the information about which websites you visit.

Whether that’s worth the effort depends on your situation:

• You’re quickly checking the news on airport Wi-Fi? HTTPS is enough.
• You regularly work with confidential company data at a coworking space? A VPN makes sense – and your employer probably provides one anyway.
• You’re traveling to countries with internet censorship? A VPN is essential – but for entirely different reasons.

The VPN industry makes billions by painting the dangers of public Wi-Fi as more dramatic than they actually are today. That doesn’t mean VPNs are useless – we covered the real benefits in detail in our VPN article. But the line “Without a VPN at the coffee shop you’re defenseless” was accurate in 2012 and is overblown in 2026.

What actually helps: five rules for when you’re out and about

Instead of a VPN, most people on public Wi-Fi mainly need common sense and a few simple habits:

1. Check the network name. Ask at the front desk or the staff for the exact Wi-Fi name. Don’t blindly connect to the strongest open signal.

2. Look for HTTPS. Before you enter a password anywhere, check for the lock icon in the address bar. No lock? No login.

3. Forget the network afterward. Most devices remember Wi-Fi networks and reconnect automatically. In your Wi-Fi settings, you can delete saved networks – or turn off auto-connect.

4. Keep your system up to date. The biggest danger on public Wi-Fi isn’t the eavesdropper – it’s an outdated operating system with known security holes. Updates are your first line of defense.

5. Use two-factor authentication. Even if someone could somehow intercept your password (which is extremely unlikely with HTTPS) – with a second factor, they still can’t get into your account.

Bottom line: less panic, more awareness

Public Wi-Fi today is significantly safer than its reputation suggests. HTTPS has fundamentally changed the rules. The horror stories about intercepted passwords date back to a time when most websites were still unencrypted – and that era is over.

That doesn’t mean you should carelessly use every open network you find. It means the danger lies somewhere different than most people think: not in the encrypted data stream, but in fake networks, in careless habits and in the simple fact that someone at the coffee shop can look over your shoulder.

Last week I was sitting in a hotel lobby on their Wi-Fi and hesitated for a moment before logging in. Old habit. Then I checked the lock icon in the address bar, read my emails – and closed the laptop. Not out of fear, but because I’d run out of coffee.

How do you handle public Wi-Fi? Cautious, relaxed or somewhere in between? Let us know in the comments – we’d love to hear your take.