The warnings about public wifi at coffee shops, airports, and hotels sound alarmist, but the underlying risks are real and well understood by security researchers, they’ve just gotten somewhat less severe over the past decade as more of the web adopted encryption by default.
What actually made public wifi risky in the first place
Open wifi networks (ones without a password, or with a password shared publicly) don’t encrypt traffic between your device and the router by default the way your home network with WPA2/WPA3 encryption does. Anyone else on the same network, using freely available tools, can potentially intercept unencrypted traffic passing over that connection, a technique broadly called packet sniffing.
Why it’s less dangerous than it used to be, but not zero-risk
Most of the web now uses HTTPS by default, the padlock icon in your browser, which encrypts the content of your traffic even over an unsecured wifi network. This closes off a lot of the easy attacks that were common a decade ago, like someone reading your unencrypted login credentials as they traveled over the network.
That said, real risks remain:
- Rogue access points — an attacker can set up a wifi network with a convincing name like “Airport_Free_WiFi” that you connect to instead of the legitimate one, giving them a direct view of your traffic before it even leaves the local network
- DNS spoofing — redirecting your device to fake versions of real websites, sometimes ones designed to steal login credentials
- Unencrypted apps and services — not every app or service uses HTTPS correctly, and some older or poorly-built software still transmits data in the clear
- Session hijacking — stealing session cookies to impersonate an already-logged-in user on certain sites
What a VPN actually protects against here
A VPN encrypts all of your device’s traffic before it leaves your device, not just the parts that would have been encrypted anyway. That means even if you connect to a rogue access point, or the network itself is compromised, an attacker on that network sees only encrypted VPN traffic, not the underlying content, regardless of whether the destination website uses HTTPS correctly.
What a VPN doesn’t protect against
A VPN doesn’t stop you from installing malware, doesn’t protect you if you enter your password into a phishing site that isn’t actually your bank, and doesn’t protect a device that’s already compromised. It’s specifically a network-traffic protection, not a general security product.
Practical takeaway
Public wifi is safer than it was ten years ago thanks to widespread HTTPS adoption, but rogue access points and network-level attacks are still real and hard to detect from a user’s perspective. If you’re regularly connecting to networks you don’t control, hotel wifi, airport lounges, coffee shops, a VPN removes an entire category of risk with very little effort on your part. See our Best VPN for Privacy & Security picks if you’re choosing one specifically for this.
