Public WiFi has a reputation problem — in both directions.

For years, the standard advice was blunt: never do anything sensitive on coffee shop WiFi because a hacker at the next table can see everything you do. That advice made sense when much of the web still ran over unencrypted HTTP. It is far less accurate today.

At the same time, saying “public WiFi is perfectly safe now” goes too far.

The honest answer is more useful: public WiFi is not the danger it used to be, but it is still an untrusted network. Treat it accordingly.

What changed

The old fear was based on unencrypted web traffic.

Years ago, many websites used plain HTTP. Anyone on the same network could potentially capture traffic with freely available tools. In some cases, attackers could see what users were doing, collect credentials, or hijack web sessions.

That world has largely changed.

Today, the overwhelming majority of mainstream websites use HTTPS, which encrypts the connection between your device and the website. Banking, email, shopping, social media, cloud platforms and most major web services now use encrypted connections by default. Reputable mobile apps generally protect traffic in similar ways.

That means the classic “person at the next table reads your banking password over the air” scenario has largely been engineered out of normal web browsing.

But HTTPS does not make every risk disappear.

An observer on the coffee shop network may not see what you type into your banking site, but they may still see that your device connected to that bank’s domain. They may not be able to read your email, but they may still be able to observe connection patterns.

And if you are tricked into using the wrong site, HTTPS will protect the connection to the attacker just as effectively as it protects a connection to a legitimate service.

Encryption protects the connection. It does not prove the destination is trustworthy.

What is still risky

The risk has changed. It is less about simple traffic snooping and more about a smaller set of practical concerns.

Fake networks

Nothing stops someone from creating a hotspot called “Cafe_Guest_Free” and waiting for people to connect.

A fake network cannot normally break modern HTTPS by itself, but it can still create opportunities for phishing, forced login pages, fake captive portals, malicious redirects, certificate warnings, or prompts to install software.

The defence is simple:

  • Confirm the network name with staff.
  • Be suspicious of networks that ask you to install software.
  • Do not accept certificates from a WiFi login page.
  • Avoid entering unnecessary personal information.
  • Treat unusual login prompts as a warning sign.

Fake websites

HTTPS is necessary, but it is not sufficient.

A scam website can also use HTTPS. The lock icon, or the presence of “https,” means the connection is encrypted. It does not mean the site is legitimate.

The better habit is to check the domain, not just the lock.

If you are signing in to a bank, cloud service, email account or corporate system, make sure the address is the real one. If your browser warns you about a certificate problem on a site you trust, stop. Do not click through the warning.

That warning is the security model doing its job.

Metadata exposure

Even when content is encrypted, some connection information may still be visible to the network operator or an observer on the network.

For most people, this is a privacy concern rather than a major security event. But context matters. If you are working on sensitive legal, financial, corporate, government, investigative or personal matters, even the pattern of your connections may reveal more than you intend.

For ordinary browsing, the risk is modest. For sensitive work, it is worth being more deliberate.

Captive portals and data collection

The WiFi login page itself can also be a privacy issue.

Some public hotspots collect email addresses, device information, marketing consent, social-login details, or tracking information before granting access. That may be a business model rather than an attack, but it is still worth noticing.

Avoid using social login for public WiFi when possible. Do not provide more information than necessary. If the network demands too much personal data for casual access, consider using your phone’s hotspot instead.

Your own device settings

The bigger practical risk is often your laptop, not the WiFi network.

File sharing left enabled, an outdated operating system, weak local firewall settings, old browser versions, and devices configured to trust local networks can expose you to unnecessary risk.

When connecting to public WiFi, mark the network as public in your operating system. That setting typically reduces local discoverability, disables unnecessary sharing, and tightens how your device behaves around other devices on the same network.

This is one of the most useful public WiFi controls, and one of the least discussed.

Shoulder surfing

Low-tech attacks still work.

The person sitting behind you does not need packet-capture tools if they can watch you type your password, read a confidential document, see a customer name, or photograph your screen.

In public places, shoulder surfing remains one of the most realistic risks. A privacy screen, good seating position, password manager, biometric unlock, and basic situational awareness often matter more than advanced network advice.

What you should actually do

The practical checklist is short.

1. Keep your device updated

Keep your operating system, browser, security software and applications current. Many real-world attacks depend on old software.

2. Confirm the network name

Ask staff which network is legitimate. Do not assume the strongest signal or most official-looking name is the right one.

3. Turn off auto-join

Do not allow your device to automatically connect to unknown or previously used public networks. Auto-join is convenient, but it can connect you to networks you did not consciously choose.

4. Set the network type to public

On Windows, macOS and other platforms, use the public or untrusted network profile when available. The goal is to make your device less visible and less open to nearby devices.

5. Check the domain

Do not rely only on the lock icon. Confirm that the website address is correct, especially before entering credentials, payment details, customer data or corporate information.

6. Respect browser warnings

If your browser warns you about an invalid certificate or unsafe connection, stop. Do not click through because you are in a hurry.

7. Avoid installing anything from a WiFi login page

A public WiFi portal should not require software, certificates, browser extensions or unusual system changes. If it does, use another connection.

8. Use your phone hotspot for sensitive work

For banking, confidential business, legal work, executive communications, privileged administration, source code, sensitive customer data or anything you would not want exposed, use cellular data or your phone’s hotspot.

It removes the shared local network from the equation.

Where VPNs fit

A reputable VPN can reduce what the local network can observe once the VPN is connected. It is especially useful for frequent travellers, remote workers, and employees accessing corporate systems from hotels, airports, conferences and coffee shops.

But a VPN is not magic.

It does not protect you if you type your password into a fake website. It does not make a malicious WiFi portal trustworthy. It does not stop shoulder surfing. It also shifts some trust from the local network to the VPN provider.

For corporate use, VPN or zero-trust access may be required by policy. For casual personal browsing on mainstream HTTPS sites, a VPN is useful but not always necessary. For sensitive work, it is a reasonable additional layer.

The enterprise version

For organizations, the question is not whether coffee shop WiFi is terrifying. The question is whether remote access is designed on the assumption that employees will sometimes use untrusted networks.

That means:

  • Managed devices
  • Current patches
  • Endpoint protection
  • Multi-factor authentication
  • Conditional access
  • Device posture checks
  • DNS protection
  • Secure browser configuration
  • VPN or zero-trust access for sensitive systems
  • Clear guidance on when employees should use cellular data instead of public WiFi

The goal should not be to ban coffee shop WiFi. That is unrealistic.

The goal is to make the network less important to the security outcome.

A well-designed environment should not depend on every employee perfectly identifying every safe and unsafe network. It should assume public networks are untrusted and still protect the user, device, identity and data.

The bottom line

The scary version of public WiFi is partly a decade out of date. Encryption fixed much of the old problem.

What remains is more practical and manageable:

  • Fake networks
  • Fake websites
  • Metadata exposure
  • Overreaching captive portals
  • Weak device settings
  • The person sitting behind you

Public WiFi is not automatically dangerous. It is also not automatically trustworthy.

Connect deliberately. Confirm the network. Keep your device updated. Treat certificate warnings seriously. Use your phone’s hotspot or corporate remote-access tools for truly sensitive work.

That is the whole playbook.

Ethics and Transparency Statement

This article was prepared with AI assistance for drafting, editing and structure. The final judgment, conclusions and responsibility for publication remain with the author.

No vendor paid for, reviewed or approved this article. Product categories are discussed for general security awareness and are not endorsements or recommendations of any specific browser, VPN provider, mobile carrier, WiFi provider, security product or remote-access technology.

Disclaimer

The views expressed in this article are my personal views and do not necessarily reflect the views, positions or opinions of my employer, its affiliates, leadership, customers or partners.

This article is provided for general informational and educational purposes only. It does not constitute legal, compliance, security, privacy or professional advice. Public WiFi risk varies based on the user, device, operating system, browser, applications, network configuration, data sensitivity, threat model and operating environment.

Individuals should make decisions based on their own needs and risk tolerance. Organizations should evaluate public WiFi guidance and remote-access controls in the context of their security architecture, endpoint management capabilities, regulatory obligations, acceptable-use policies and business requirements.

Sources and further reading

Keywords

public WiFi, coffee shop WiFi, WiFi security, public network security, HTTPS, VPN, fake WiFi network, evil twin hotspot, captive portal, metadata exposure, shoulder surfing, remote work security, mobile hotspot, zero trust access, endpoint security, secure browsing, cyber hygiene, privacy, cybersecurity awareness, enterprise security, network security