How Public Wi-Fi Affects Your Privacy
Public Wi-Fi is convenient - And dangerous. Using it without protection exposes your browsing activity, login credentials, and personal data to other users on the same network and to the network operator. If you use a VPN on public WiFi, read our public WiFi + VPN guide for the correct order of operations.
Risks of Public Wi-Fi
| Risk | Description | Mitigated by HTTPS? |
|---|---|---|
| Man-in-the-middle attack | Attacker intercepts traffic between your device and the router | Partially - Metadata still exposed |
| Rogue hotspot | Fake network mimicking a legitimate one (e.g. "Airport WiFi") | No - DNS can still be hijacked |
| Packet sniffing | Recording unencrypted traffic on the network | Yes - HTTPS encrypts payload |
| DNS hijacking | Network redirects your DNS queries to a malicious server | No - Use DNS-over-HTTPS |
| Session hijacking | Stealing session cookies to impersonate you on a site | Yes - For HTTPS-only cookies |
How to Stay Safe on Public Wi-Fi
- Always use a VPN - It encrypts all traffic between your device and the VPN server. After connecting, run a VPN leak test to confirm nothing is leaking.
- Look for HTTPS in the address bar - Avoid entering passwords on HTTP sites.
- Turn off auto-connect for Wi-Fi networks - Always confirm the network name with staff. If the portal isn't appearing, see our captive portal fix.
- Use your mobile data hotspot instead of public Wi-Fi for sensitive tasks.
- Enable your firewall and keep your OS updated with security patches.
What the Network Operator Can See
Even without an attacker present, the operator of any Wi-Fi network you join - The cafe, the hotel, the airport, or whoever runs their router - Sits on the path of all your traffic. What they can observe depends on what protection you add:
| Your Protection | Visible to the Network | Hidden from the Network |
|---|---|---|
| None (HTTP sites) | Every page, every form field, every password | Nothing |
| HTTPS only | Domains you visit (via DNS and TLS SNI), connection times, data volumes, your device's MAC and hostname | Page contents, credentials, cookies |
| HTTPS + encrypted DNS | IP addresses you connect to, TLS SNI domain (unless ECH), traffic volume | Page contents plus your DNS query history |
| VPN | Only that you are connected to a VPN server, and how much data flows | Every destination, every domain, all contents |
Your device leaks data before you even browse
Phones and laptops broadcast probe requests for remembered networks, and the network learns your device hostname and MAC address on connection. Modern iOS and Android use randomised MAC addresses per network to blunt this - Make sure "Private Wi-Fi Address" (iPhone) or "Randomized MAC" (Android) is enabled for public networks.
Step by Step: Joining Public Wi-Fi Safely
| Step | Action |
|---|---|
| 1 | Confirm the exact network name with staff - "FreeCoffeeWiFi" and "Free_Coffee_WiFi" may be different networks, one of them rogue |
| 2 | Join the network and complete the captive portal login before connecting your VPN - The portal cannot load through a tunnel (see the VPN vs captive portal guide) |
| 3 | Connect your VPN immediately after the portal accepts you |
| 4 | Run the VPN leak test to confirm your real IP and DNS are hidden |
| 5 | When you leave, tell your device to forget the network so it won't auto-rejoin a spoofed copy later |
Does a Wi-Fi Password Make a Network Safe?
Not by itself. A password on the door (WPA2/WPA3) encrypts the radio link, but everyone who has the password is inside the same network - On WPA2-Personal, other users who captured your connection handshake can still decrypt your traffic, and the operator sees everything regardless. WPA3's per-session encryption improves this between users, yet the operator-visibility problem remains. Treat a password-protected cafe network exactly like an open one: fine for casual browsing over HTTPS, but add a VPN for anything sensitive. The full risk catalogue is covered in our public Wi-Fi security risks FAQ.
What This Means for You
The realistic threat on public Wi-Fi today is less the movie-style hacker and more the quiet accumulation of metadata: which sites you visit, when, for how long, from which device - Collected by network operators, sold by analytics partners, or harvested by a rogue hotspot. HTTPS already protects your passwords on legitimate networks; your remaining exposure is DNS queries, destination metadata, and rogue-network tricks. A reputable VPN closes all three at once, which is why "portal first, then VPN, then leak test" is the only habit you really need to build.
Frequently Asked Questions
Is it safe to do online banking on public Wi-Fi?
With HTTPS - Which every bank uses - Your credentials and session are encrypted even on hostile networks, so the practical risk is low. The remaining dangers are rogue hotspots and fake login pages, so type the bank's address yourself, never follow portal links, and prefer a VPN or your phone's cellular data for extra margin.
Can the Wi-Fi owner see my browsing history?
Partly. On an ordinary connection the operator can log every domain you visit via your DNS queries and TLS metadata, plus timing and data volumes - But not the contents of HTTPS pages. Encrypted DNS hides the query trail; a VPN hides the destinations entirely.
Should I use a VPN on every public network?
It is the simplest rule that works. Connect to the network, complete any login portal, then enable the VPN before doing anything else. If the VPN refuses to connect, fix the portal conflict first rather than browsing unprotected.