The Truth About Public Wi-Fi Security (It's Worse Than You Think)

The coffee shop Wi-Fi advice has been oversimplified for years — 'use a VPN, you'll be fine.' The actual threat model on public networks is more nuanced, some of the old attacks are less relevant now, and some newer ones are worse than ever. Here's what's actually going on.

The Man-in-the-Middle Reality

On a typical home network, your device connects to a router you control. On public Wi-Fi, you're connecting to someone else's hardware, on a network shared with strangers. A classic man-in-the-middle (MITM) attack intercepts traffic between your device and its destination — possible on public networks when the attacker is on the same network segment.

The widespread adoption of HTTPS has significantly reduced what a MITM can read. If you're on an HTTPS site, your traffic is encrypted end-to-end and a network-level attacker sees ciphertext. The attack surface has shifted. Unencrypted traffic — old HTTP sites, some legacy apps, certain IoT devices — remains fully exposed.

Evil Twin Attacks

An evil twin is a rogue access point set up to mimic a legitimate one. The attacker creates an open Wi-Fi network with the same name as the coffee shop's network — 'CoffeeShop_Free' — with a stronger signal. Devices that auto-connect to known networks will connect to the evil twin instead. Now all traffic goes through the attacker's equipment first.

This attack works because most devices aggressively auto-connect to previously seen networks. Disabling auto-connect for public networks removes the vulnerability. Actually, scratch that — the right move is deleting public networks from your saved list after you're done with them.

HTTPS Stripping and SSL Interception

SSL stripping attacks downgrade HTTPS connections to HTTP during the initial handshake, before the browser shows any warning. The victim thinks they're on a secure site; they're not. HSTS (HTTP Strict Transport Security) defeats this for sites that implement it — the browser refuses to connect over HTTP regardless. Major sites use HSTS. Not all sites do.

What a VPN Actually Fixes Here

A VPN on public Wi-Fi encrypts everything from your device to the VPN server, regardless of the underlying network. Evil twin attacks become largely irrelevant — the attacker sees an encrypted tunnel they can't read. SSL stripping can't happen on already-encrypted VPN traffic. The VPN's DNS resolver handles queries, preventing local DNS poisoning.

The one remaining risk: the VPN connection itself failing silently. A kill switch — which blocks all traffic if the VPN drops — is essential on public networks. Without it, your traffic briefly reverts to unprotected whenever the VPN hiccups.