The coffee shop Wi-Fi password is on the chalkboard. You connect, check your email, review a document, pay a bill. Nothing bad happens. You disconnect and leave.
Most of the time, that story ends fine. The risks of public Wi-Fi in 2026 are real but frequently overstated, frequently understated in the wrong ways, and widely misunderstood about which specific scenarios are dangerous and which are not.
What HTTPS actually protects
The single most important change in public Wi-Fi security over the past decade is the near-universal adoption of HTTPS. When you connect to a site over HTTPS, your connection to that site is encrypted end-to-end using TLS. Someone sitting on the same coffee shop network and capturing packets with Wireshark can see that you connected to google.com, but they cannot read your search queries, your email content, or your passwords.
As of 2024, over 95% of web traffic is encrypted according to Google's transparency report. That percentage was below 50% in 2015. The HTTP Strict Transport Security mechanism, combined with browsers defaulting to HTTPS and the Chrome security team's steady work deprecating mixed content, has made the old "never do online banking on public Wi-Fi" advice largely obsolete for modern HTTPS sites.
What they can still see: the domain name of every site you visit, because the DNS query is typically unencrypted and the TLS Server Name Indication field contains the hostname in plaintext unless the server and browser both support Encrypted Client Hello. The timing and volume of your traffic. The IP addresses you connect to.
The evil twin attack
An evil twin is a rogue access point that mimics a legitimate one. An attacker sets up a hotspot named "Starbucks Wi-Fi" (or whatever matches the legitimate network) and waits for devices to connect. When they do, all their traffic flows through the attacker's device before reaching the internet.
Against HTTPS traffic, an evil twin attack does not break encryption. The attacker can see DNS queries and connection metadata, but not content. What it can do is intercept DNS responses, redirecting you to a fake version of a login page hosted by the attacker. If you then enter your credentials on that fake page, which looks identical to the real one, the attacker has them.
Defenses against this attack: HTTPS alone does not protect against a well-executed phishing redirect. Browser certificate validation helps, but an attacker with a legitimate certificate for a lookalike domain can still create a convincing fake. The most reliable defense is a password manager that autofills only on the exact correct domain. If the URL is chase-secure-login.com instead of chase.com, the password manager will not fill in your credentials.
ARP spoofing and LAN interception
ARP spoofing is a technique where an attacker on the same local network sends forged ARP packets to convince other devices that the attacker's MAC address corresponds to the network gateway's IP. Devices then send their outbound traffic to the attacker instead of the router.
Against HTTPS this is essentially useless for reading content, for the same reasons as the evil twin attack. But it enables the attacker to inject responses, redirect HTTP traffic (unencrypted sites still exist), and capture credentials from any service that uses plaintext protocols. In practice, the combination of ARP spoofing with SSL stripping (downgrading HTTPS to HTTP) was a genuinely dangerous attack in 2015. HSTS preloading has largely closed that particular door for major sites.
What still matters in 2026
The most realistic threat on public Wi-Fi today is not packet sniffing of encrypted traffic. It is the combination of DNS surveillance and behavioral profiling. Your ISP or network operator can see a detailed log of every domain you query. This metadata is often more revealing than the content would be: a pattern of DNS queries to oncology treatment centers, job listings sites, or legal services tells a story even without seeing the content.
Captive portals, those login pages at hotels and airports, often inject tracking code into HTTP responses and may log all your traffic. Connecting to a captive portal and accepting the terms of service frequently involves consenting to this collection.
Corporate devices on public networks face an additional risk from man-in-the-middle attacks against corporate VPN clients, particularly against legacy protocols like PPTP and L2TP/IPSec with weak configurations.
The Darkhotel precedent
From 2007 to at least 2014, a sophisticated threat group now called Darkhotel targeted executives staying in high-end hotels across Asia. They would connect to the hotel network, identify high-value targets, and serve malicious software updates through the hotel's network infrastructure. The attack required significant access to the hotel network, suggesting either compromise of hotel systems or an insider. This is not a threat relevant to most people, but it illustrates that hotel networks specifically have a history of being compromised and used for targeted attacks.
Practical steps that actually help
A VPN with a modern protocol (WireGuard or IKEv2) encrypts all your device traffic before it leaves your device, making DNS queries and traffic metadata invisible to the local network operator. This is genuinely useful on public networks and worth the small performance cost.
Enable "Private Wi-Fi Address" on iOS and Android. This randomizes the MAC address your device presents to Wi-Fi networks, preventing networks from tracking your device across visits.
For DNS specifically, configure your device to use an encrypted DNS resolver (1.1.1.1 via DoH or your VPN provider's DNS). This prevents the network operator from logging your domain queries.
Do not automatically connect to open networks. iOS and Android both have settings to disable automatic connection to open networks or to ask before joining unknown networks.
Frequently asked questions
Is it safe to do online banking on public Wi-Fi?
On a modern HTTPS banking site, the content of your transactions is encrypted and cannot be read by someone on the same network. The risk is from phishing redirects and credential theft on fake sites, which is the same risk you face on any network. Using a VPN eliminates the DNS surveillance risk. Using a password manager prevents phishing.
Can someone see what I'm downloading on public Wi-Fi?
If you are downloading over HTTPS, they can see the size and timing of the download and the domain it came from, but not the content. If the download is over unencrypted HTTP, the content is visible.
Does using HTTPS mean I'm safe on public Wi-Fi?
Largely yes for content protection. No for metadata protection: domain names, timing, and traffic volume are still visible to the network operator regardless of HTTPS.
How does a VPN help on public Wi-Fi?
A VPN creates an encrypted tunnel for all your traffic before it reaches the local network. The coffee shop Wi-Fi operator sees only encrypted traffic going to your VPN server. They cannot see DNS queries, destinations, or content.
Check your current connection details: ip-checker.pro shows your visible IP, ISP, and approximate location.