Skip to content
FalseSecurityLast updated: July 10, 2026

Public Wi-Fi is always safe

Open public Wi-Fi networks carry some real interception risk on unencrypted connections, but the widespread adoption of HTTPS encryption across most websites and apps has substantially reduced the practical danger compared to a decade ago, making the threat smaller than commonly assumed for typical browsing.

What we know

Public Wi-Fi networks, particularly open networks without a password at coffee shops, airports, and hotels, have long carried a reputation as a serious security risk, based on legitimate techniques such as packet sniffing, where an attacker on the same network intercepts unencrypted data traveling between a device and the internet, and man-in-the-middle attacks, where an attacker positions themselves between a user and their intended destination to intercept or alter traffic. These risks were significantly more serious in the past, when a much larger share of internet traffic traveled unencrypted.

The security landscape has changed substantially since roughly the mid-2010s with the widespread adoption of HTTPS, the encrypted version of the web's core communication protocol, which the Electronic Frontier Foundation and Google have both tracked climbing from a minority of web traffic around 2014 to the strong majority of page loads in Chrome by the late 2010s, and to over 95 percent by the mid-2020s according to Google's Transparency Report. HTTPS encrypts the content of communication between a browser and a website, meaning that even if an attacker intercepts the raw data traveling over an open Wi-Fi network, the content itself, including passwords entered on an HTTPS-secured login page, is encrypted and not readily readable without breaking the encryption, a task computationally infeasible for typical attackers using standard equipment.

This does not mean public Wi-Fi carries zero risk. Some risks remain independent of HTTPS adoption, including the possibility of connecting to a malicious network specifically set up to mimic a legitimate one, sometimes called an evil twin network, where an attacker creates a Wi-Fi access point with a name resembling a legitimate business's network to lure victims into connecting, after which the attacker can attempt more sophisticated interception techniques or redirect users to fake login pages. Additionally, older apps or websites that have not fully adopted HTTPS, or that have HTTPS implementation flaws, remain vulnerable to interception on any network, public or private.

Security researchers, including analyses published by cybersecurity firms such as Norton and Kaspersky, generally now characterize the risk of open Wi-Fi as reduced but not eliminated, noting that a user practicing basic precautions, such as verifying a network's legitimate name with venue staff, ensuring sites visited use HTTPS (indicated by a padlock icon in the browser address bar), and avoiding entering sensitive information on any site lacking this encryption, faces meaningfully lower risk than commonly assumed a decade ago, when unencrypted connections were far more prevalent.

Virtual private networks, or VPNs, are often recommended as an additional layer of protection on public Wi-Fi, encrypting all traffic from a device regardless of whether an individual site uses HTTPS, though the practical benefit for a user only visiting sites that already use HTTPS is smaller than commonly marketed, since the encryption a VPN adds is often redundant with the encryption HTTPS already provides for that specific connection. The most significant remaining public Wi-Fi risk for most users today is not casual data interception but rather connecting to a deliberately malicious spoofed network, a distinction that shifts the most effective precaution toward verifying network legitimacy rather than assuming all open Wi-Fi is equally and severely dangerous.

Common claims

  • Public Wi-Fi is just as safe as your home networkFalse. Public networks lack the encryption and access controls of properly secured home networks.
  • HTTPS means you are fully protected on public Wi-FiPartially true but incomplete. HTTPS protects content but DNS, metadata, and non-HTTPS traffic remain exposed.
  • Only criminals use public Wi-Fi to steal dataMisleading. Packet sniffing tools are freely available; risk comes from the open network structure, not criminal intent alone.