Content of the article

Public Wi-Fi: What Seems Safe but Isn’t Actually a Good Idea

We love free internet in cafes, hotels, and airports. Who doesn’t like convenience? You connect and get right to work. But convenience often comes at the cost of security. Public Wi-Fi is like a kettle in a hostel: it looks clean, but you have no idea who used it yesterday or what they did. And yes, even if you see the HTTPS lock icon, that’s not a full-proof shield. In 2026, attackers are smarter, tools are easier to use, and the stakes are higher.

Sound worrying? A little. That’s exactly why we’re going to break it all down: how and why HTTPS isn’t a catch-all, which attacks really work today, how attackers exploit captive portals and fake access points, what VPNs can and can’t do, and how you and I can reduce risks to nearly zero — without paranoia, but with awareness.

We’ll keep it simple, straightforward, personable, with clear facts, numbers, and cases. So you don’t just nod along, but actually change your habits. Ready? Let’s go!

Why “Free” Wi-Fi Rarely Comes Without a Price

When you use public Wi-Fi, you’re actually paying with your data. Authorization portals collect your email, phone number, device fingerprints, and sometimes try to subscribe you to push notifications. Network admins can see traffic metadata — what domains you visit, when, and how much data flows. But what if the network admin is actually an attacker on the same Wi-Fi? Then you’re looking at MITM attacks, DNS spoofing, phishing, and session theft.

How Attackers “See” Your Device

Routers or fake access points monitor ARP, DHCP, DNS, and TLS handshakes. Even without decrypting HTTPS, they can learn a lot from metadata: SNI (if not encrypted), IP addresses, packet sizes, and request frequency. Add public traffic from unprotected apps and protocols — and the puzzle fits a little too well.

The Myth of “I’ve Got HTTPS, I’m Safe”

We love seeing the lock icon in the browser address bar. But HTTPS protects the channel between your browser and the server, not the connection between the access point and the network owner’s conscience. If an attacker replaces DNS and sends you to a phishing clone with a valid certificate (yes, that happens if the chain is compromised, misconfigured, or you trust a malicious root certificate on your device), your confidence actually works against you. And if the attack happens before you even reach HTTPS (say, via a captive portal), you won’t see a lock icon at all.

How HTTPS Works in 2026 and Why It’s Not a Magic Bullet

Most browsers in 2026 default to TLS 1.3 and support Encrypted Client Hello (ECH) to hide the SNI. This is a big improvement. But it’s not perfect. The devil’s in the details — redirects, initial unprotected clicks, mixed content, incomplete HSTS, older apps, and weak router settings. Plus, there’s the trust problem with root certificates and user-installed MDM profiles.

TLS 1.3, ECH, HTTP/3, and the Reality of Café Networks

HTTP/3 built on QUIC speeds up and encrypts transport, while ECH hides the domain in the encrypted client hello. Great on paper. But café networks often throttle or block QUIC to save bandwidth and filter traffic, forcing clients to fall back to HTTP/2 or even HTTP/1.1. This exposes compatibility gaps attackers exploit by blocking new protocols or substituting responses at first contact.

HSTS Helps—Until Someone Turns It Off

HSTS tells browsers: “Always use HTTPS.” It works well if the site is preloaded or the user has visited it over HTTPS before. But if it’s the first visit and the network forces a redirect over HTTP, there’s a small but real attack window. Now imagine a router that strips out HSTS headers (acting as a proxy) or forces downgrade. Rare, but it happens in shady networks with aggressive filtering.

The Problem with Trusted Certificates and MDM Profiles

Sometimes devices have extra trusted root certificates installed—via pirated VPNs, corporate profiles, or outdated antivirus software. On public Wi-Fi, attackers can trick you into “updating your internet certificate” via a fake captive portal. If you accept, a TLS MITM becomes straightforward. We’ve seen this in hotels and busy tourist spots.

Real Threats on Public Networks: From MITM to DNS Spoofing

The list of attacks is long, but here are the ones actually encountered in the wild in 2026: MITM (via ARP spoofing or proxies), DNS spoofing with domain substitution and DoH blocking, Evil Twin with cloned SSIDs, phishing captive portals with proxy scripts, and session hijacking in apps without strict pinning.

MITM via ARP Spoofing

A classic: the attacker convinces your device that they are the default gateway. All packets route through them. They see a lot — domains, IPs, handshake attempts. If they manage to push a proxy certificate or force client downgrade to HTTP, deep inspection begins. Good news: modern OSes offer better protection, but public networks often disable it for “compatibility.”

DNS Spoofing and DoH/DoT Blocking

Everyone loves DNS over HTTPS, but many captive portals block DoH/DoT until after you authenticate — and then forget to unblock it. In that gap, attackers easily spoof responses: ask for bank.example, get bank-secure-login.example instead. Next up is SSL stripping or exploiting rare buggy valid certificates. Without alert users and app-side protections, trouble ensues.

Evil Twin and Clone Set Up in Two Minutes

Creating a fake access point with the same SSID, MAC mask, and a stronger signal? Just a few clicks and minutes. This “twin” silently intercepts your traffic, especially if auto-connect is on. In 2026, this became easier thanks to cheap compact devices and tools that auto-copy network settings. And many devices still connect to the strongest signal without questioning it.

SSL Stripping and HSTS Downgrade: What It Looks Like in Real Life

SSL stripping means you’re pushed from HTTPS down to HTTP before any protection kicks in. Like luring someone onto a dimly lit staircase: one wrong step and you’re on a slippery path.

Scenario 1: Redirect Before HTTPS

You typed the address without https. The attacker intercepts the first request and serves a fake HTTP proxy site that looks like the real thing. The “Login” button leads to the genuine HTTPS page, but your form data is already captured. Visually, everything flickers fast, the user notices nothing, and the session gets hijacked.

Scenario 2: Compatibility Bugs and Partial HSTS

Some sites use HSTS partially: subdomains aren’t protected, lifetime’s short, no preloading. An attacker serves an unprotected subdomain where you log in out of habit or via an ad. Then it’s a free-for-all: cookies, tokens, social engineering.

Scenario 3: User Certificate

A fake captive portal offers to “unlock internet access” by installing an “access certificate.” One tap, and MITM even on HTTPS becomes possible. Less common in 2026, but still active at tourist hubs and big events — especially when the network dangles coupons, discounts, or “ad-free bonus Wi-Fi.”

Captive Portal Attacks Without Magic: Where Even Careful Users Get Caught

Authorization portals are legit tools. But attackers love them because they normalize redirects. See an unfamiliar page? Yeah, it’s a portal. So users click. That’s when attackers slip in anything — from fake certificates to “browser update” prompts.

Phishing Pages Masquerading as the Network

Café logos, airport names, even matching color schemes. Super convincing. These portals ask for emails, social media passwords “to log in,” card numbers “to verify a 1-ruble charge,” or Apple/Google IDs for “syncing.” You’d be surprised how many people fall for it. We’ve seen conversion rates of 3–7% at big events — a lot.

Push Attacks and QR Traps

A QR code on the table says, “Connect to fast Wi-Fi.” You scan it and land on a page asking to install a profile or subscribe to notifications. Then floods of push alerts come with phishing links: “Your session expired,” “Confirm payment.” These pop up hours later at home. Definitely unpleasant.

Proxy Scripts and Token Collection

Some portals embed proxy scripts that watch browsing until the browser caches redirects. Your habits get tracked, IDs collected, and risks pile up for future targeting. This isn’t always cybercrime — sometimes just aggressive marketing — but it’s no fun either.

Rogue AP and Evil Twin: Will You Spot the Swap?

You think you’re connected to “Airport_Free_WiFi.” Actually, you’re on “Airport_Free_WiFi” running on a laptop an attacker placed two meters away, with a stronger signal. Internet flows, everything’s fast, coffee’s hot — perfect. Until it isn’t.

Signs of a Swap

Unstable certificates, weird redirects, sudden DoH/DoT failures, constant “This connection may be monitored” warnings, captive portals popping up on every new site. Add unexpected requests to install profiles, proxy changes, or “security updates.” Two blinks and you should get suspicious.

Why WPA2-Enterprise Isn’t Always a Savior

Corporate networks using 802.1X and EAP are a step up, but users often skip verifying the RADIUS server name. Evil Twin easily inserts a fake RADIUS with a self-signed certificate, and clients accept it. In 2026, mobile OSes warn better, but human error remains.

WPA3, SAE, and Reality

WPA3-Personal with SAE is harder to brute-force, but it doesn’t prevent MITM at the IP or DNS level if the attacker controls the access point. Encryption between client and AP isn’t a shield against the world—especially if the AP hosts the attacker.

VPN in 2026: Strengths, Limits, and Myths

VPNs are powerful tools, but no magic wand. They encrypt your traffic from the access point to the VPN server, hide DNS requests (if set up right), and break many MITM scenarios. But they don’t protect against phishing, don’t fix what you willingly install (like a malicious certificate), and sometimes break around captive portals.

What VPNs Actually Protect

When your VPN kicks in before network access, all traffic travels through an encrypted tunnel. Attackers can’t see domains, content, or requests. A good VPN runs DNS inside the tunnel, shielding against DNS spoofing. Plus, a kill switch cuts off traffic if the tunnel drops. In 2026, protocols like WireGuard and IKEv2/ChaCha20 are fast even on mobiles, and some providers use QUIC transport for better stability on flaky connections.

Where VPNs Fall Short

Phishing page? VPN won’t flag it if the TLS cert is valid. Malicious profile installation? VPN won’t detect that. Token theft in apps without pinning? VPN can’t help if the app accepts MITM via user certificates. Plus, VPN might not start before captive portal authentication, leaving an open attack window.

Split-Tunneling and Fine-Tuning

Many enable split-tunneling “for speed.” Attackers love this: some traffic bypasses the tunnel and can be intercepted. For public Wi-Fi, it’s better to have strict full-tunnel, disable local networking, and enable a kill switch. Not always convenient, but more peaceful sleep.

Practical Best Practices: A No-Fuss Checklist

Let’s skip the theory. Real steps and habits that work. We'll start with basics, then move to fine-tuning and business angles.

Basic Rules for Everyone

  • Don’t enter passwords or card info on public Wi-Fi unless absolutely necessary. If you must, do it only through a VPN and only on verified domains.
  • Turn off auto-connecting to open networks. Better to connect manually and forget networks after use.
  • Pay attention to certificate warnings. Any “security error” on public Wi-Fi is a red flag. Close the tab.
  • Never install profiles, root certificates, “internet boosters,” or “browser updates” via portals.
  • Use a separate sandbox browser for public networks with no saved sessions or logins.

Technical Settings That Help

  • Enable VPN with auto-start and kill switch. Disable split-tunneling on public networks.
  • Make sure your system uses DoH/DoT inside VPN. Block local DNS if the provider tries to force it.
  • Set system to require PIN or biometrics before installing root certificates. Check trusted cert lists quarterly.
  • Turn on HTTPS-Only Mode in your browser. Use session isolation extensions (containers) and a password manager with phishing detection.
  • Enable MFA/2FA, preferably hardware keys or passkeys. SMS OTPs are a minimum but better than nothing.

For Phones and Laptops

  • On iOS and Android: block background sync for heavy apps on open networks if VPN’s off.
  • On Windows and macOS: enable firewall, block incoming connections on public networks, disable file sharing and AirDrop/Nearby Share temporarily.
  • Set up a separate Wi-Fi profile called “Public”: no auto-connect, VPN reminders, and local network restrictions.

For Businesses and Teams

  • MDM policies: forbid user-installed root certificates, mandate always-on VPN, control trusted CA lists.
  • Use SASE/ZTNA with device posture checks: corporate access only from devices with up-to-date patches and disk encryption turned on.
  • Implement DNS filtering via secure resolvers with policies blocking newly registered domains (DGA, fast-flux).
  • Train staff twice a year. Show live Evil Twin demo — it boosts caution dramatically.

Cases: What It Looks Like in Real Life

Some stories without fluff. Learning from others’ mistakes is cheaper than your own.

Case 1: Airport and “Fast Ad-Free Access”

A network with an authorization portal. Nearby, an attacker launched an Evil Twin with the same SSID and stronger signal. The portal looked identical but offered an “accelerator” via profile installation. Ten percent of users agreed. Next came MITM even on banking sites, token theft, and redirects to phishing pages. Result: several hacked accounts and corporate emails leaked.

Case 2: Coffee Shop and SSL Stripping on First Click

A user typed the address without https. The attacker inserted an HTTP proxy on the first request. They grabbed the login form, forwarded the data to the real site, user noticed nothing. Two hours later, strange activity showed up in the account. MFA and audit logs helped limit damage, but the unease stayed.

Case 3: Conference, QR Code, and Push Phishing

Organizers hung QR codes to “connect to Wi-Fi.” Someone swapped a few stickers. The fake portal signed people up for push notifications. Within a day, messages urged “Confirm login.” Conversion was 4%. Enough to spark social media buzz and a couple of sad stories.

Modern 2026 Trends Changing the Game

Without context, you get stuck in old advice. In 2026, three shifts happened: mass ECH adoption, passkeys replacing passwords, and ZTNA integration into corporate devices. Sounds bureaucratic, but it’s a serious security boost.

ECH and Hiding the SNI

Widespread ECH support cuts domain leaks during the first handshake. This reduces passive reconnaissance effectiveness on public Wi-Fi. However, fallback to older protocols (common in “legacy” access points) weakens protection. Don’t disable modern protocols for “compatibility” if you can avoid it.

Passkeys and WebAuthn

When your account uses a device and biometrics instead of a password, “just stealing a password” won’t get you in. Combine passkeys with geographic and device login restrictions, and public Wi-Fi gets a lot less scary.

ZTNA and SASE in Practice

Corporates have moved from VPN tunnels to internal proxies checking context: who you are, what device, patches status, disk encryption, root status. On public networks, this approach sharply reduces social engineering success: stolen passwords alone won’t grant access.

Step-by-Step Settings on Popular Platforms

Let’s get practical: what to click today for a safer tomorrow. No screenshots, just clear steps.

iOS 18 and iPadOS

  • Settings → Wi-Fi → Your network → Auto-Join: off for open networks. Private Wi-Fi Address: on.
  • Settings → VPN → Add Configuration: choose WireGuard or IKEv2. Enable “Connect on Demand” and “Block traffic without VPN” (kill switch via MDM profile or config).
  • Settings → Safari → Advanced → HTTPS-Only Mode: on. Disable third-party profiles, check trusted certificates.

Android 15

  • Network & Internet → Wi-Fi → Settings → Auto-connect: off for open networks. Random MAC address: on.
  • VPN: install client supporting always-on and blocking traffic without VPN. Enable DNS over VPN, disable local DNS.
  • Chrome → Security Settings → Use secure DNS → enable DoH (through VPN if supported). Enable password protection and phishing alerts.

Windows 12

  • Network & Internet → Wi-Fi → Manage known networks: remove open ones, disable auto-connect.
  • Firewall: Public profile → block incoming connections. Disable file and printer sharing.
  • VPN: use WireGuard/IKEv2, enable “Disconnect on VPN failure.” Set policy to “Allow traffic only through VPN” on public networks.

macOS 15

  • Network → Wi-Fi → Advanced: remove open networks, disable auto-join for unknown ones.
  • Firewall → Enable → Block all incoming connections on public profiles. Disable AirDrop or limit to Contacts only.
  • Set up VPN to connect when public network detected. Safari → Enable “Prefer HTTPS” and tracking prevention.

Phishing and Social Engineering: Why People Click

Technique is easy to counter with settings. People? Not so much. We click when rushed, tired, promised a bonus, or when “it seems legit.” Public Wi-Fi is perfect for time pressure: you’re queuing to board, coffee’s cooling, colleagues ping “what’s up?” That’s where they get us.

How to Protect Yourself

  • Pause for three seconds before clicking any unfamiliar portal. If IP:portal asks for your email password, that’s almost certainly a scam.
  • Look for phishing signs: unusual domains with hyphens, strange TLDs, browser complaints. When in doubt, check through mobile internet, not the same Wi-Fi.
  • Use a password manager: it won’t autofill passwords on wrong domains. No autofill? Time to check that address bar carefully.

Mobile Apps — A Silent Risk

Not all apps enforce strict server certificate pinning. That means in MITM setups using user certificates, they might trust attackers. Many apps fixed this by 2026, but not all. Keep critical services in browsers using passkeys and strict settings, not sketchy apps.

Common Mistakes We Keep Making

Honestly? We all slip. Let’s call things out and stop repeating them.

Auto-Connecting to Everything

Turn it off globally. It’s better to spend 10 seconds choosing a network than 10 hours recovering your account.

Ignoring Certificate Warnings

“Must be a café glitch.” Nope. Nine times out of ten, browser warnings mean exactly what they say. Walk away.

Using Work Passwords on Open Networks

If you can avoid it, don’t do it. In emergencies, only via corporate ZTNA/VPN with MFA in a trusted browser.

For Developers and Admins: What to Do Today

Users will keep hitting public Wi-Fi. Our job? Make sure even in bad conditions, it’s not scary.

For the Web

  • Strict HSTS with includeSubDomains and preloading. Set it for at least 1–2 years.
  • Drop mixed content. Use Content Security Policy and enforce HTTPS-only mode.
  • Enable WebAuthn/passkeys. Minimize password dependence.
  • Monitor subdomains and typosquatting. Set automatic alerts for new domain clones.

For Mobile Apps

  • Certificate pinning with key rotation. Handle untrusted root certificates securely.
  • Block critical features on rooted/jailbroken devices. Enable MITM protection in SDKs.
  • Fail-closed: don’t proceed if the certificate looks suspicious.

For Corporate Networks

  • MDM policies, ZTNA, device posture checks, and certificate control. Block local proxies and unsigned profiles.
  • Logs and anomaly detection: TLS error spikes, DoH blocks, mass portal re-authentications — all signals to watch.

Quick Checklist Before Connecting to Public Wi-Fi

  1. Is this network really needed? Verify the name with staff.
  2. Is auto-connect off? Good.
  3. Does VPN start automatically? Is kill switch active?
  4. Is your browser in HTTPS-Only mode? Password manager ready?
  5. No profile or certificate installs, even if they say “must have”?
  6. Postpone payments and admin tasks if possible.

What to Do If You Suspect an Attack

Don’t panic. The plan is simple. Short steps, big safety.

Step-by-Step

  • Disconnect from Wi-Fi immediately and switch to mobile data.
  • Change passwords for critical accounts, revoke sessions and tokens.
  • Check trusted certificates and profiles. Remove anything suspicious.
  • Enable login alerts, add/reissue passkeys, update MFA.
  • Review logs for logins from strange regions or recovery attempts. Contact support if needed.

Minimal Risk with Maximum Common Sense

Public Wi-Fi is like a taxi at night: sometimes necessary, but don’t get reckless. A bit of caution, a few good settings, smart habits — and you’re in the top 10% of the hardest targets. Attackers go for easier prey.

Let’s agree: no paranoia, but no blindness either. Turn on VPN early, avoid shady profiles, heed warnings, love passkeys and ZTNA, and clean trusted certificates twice a year. Small things matter. And yes, your coffee won’t get cold, we promise.

FAQ: Common Questions About Public Wi-Fi and Security

Is HTTPS alone enough in 2026 to stay safe?

No. HTTPS is the baseline, but it doesn’t protect against phishing, can’t stop captive redirects, and won’t help if you install a malicious cert. It’s important, but not a fortress. Add VPN, HTTPS-Only, passkeys, and healthy skepticism.

Does VPN solve all public Wi-Fi problems?

No. VPN encrypts traffic and hides DNS, but doesn’t fix phishing or social engineering. It can’t help if you trust an attacker via installed profiles. Use VPN as a foundation, not the whole defense.

How risky are captive portals?

As risky as your willingness to click without reading. Legit portals exist, but they normalize that “weird window” feeling. That’s the main attack surface. Don’t enter passwords for unrelated services, don’t install profiles or certificates. Ever.

Should I disable auto-connect to open networks?

Yes. That’s the best way not to get stuck on an Evil Twin. Connect manually, verify network names with staff, and forget networks after use. Also, enable random MAC (Private Address).

What’s more important: DoH/DoT or VPN?

If you had to pick one, VPN, because it encapsulates both DNS and all traffic. But better together: DoH/DoT inside VPN. Make sure your system doesn’t fall back to local DNS on public Wi-Fi.

Are passkeys needed if I have good passwords and 2FA?

Yes. Passkeys cut phishing risk almost to zero by tying logins to domains and devices. Combined with 2FA, they raise the cost of attack dramatically.

Is it safe to use banking services on public Wi-Fi?

You can, but it’s better through mobile data or a tightly configured VPN with HTTPS-Only mode and a password manager. If you see any certificate warnings or weird redirects, disconnect and switch networks immediately.