How to Stay Safe on Public WiFi Networks

Public WiFi is safer than it’s ever been. Thanks to the rise of HTTPS encryption and encrypted WiFi hotspots, it’s much harder for attackers to intercept and change your data than it used to be.

However, some security risks remain. If you connect to a compromised WiFi hotspot, an attacker may be able to see your web activity or hack your device.

In some cases, attackers may be able to hack a free WiFi router in order to divert all traffic to malicious clones of banking or shopping websites. This would enable them to steal your login details when you try to use those services through that public WiFi router.

There’s also a privacy risk, even when using legitimate public WiFi. The WiFi operator may still be able to monitor and record the websites you visit and share this information with third parties.

Does a VPN Protect You on Public WiFi?

Using a VPN is the easiest way to protect your internet traffic on public WiFi networks.

A VPN will encrypt all of the internet traffic leaving your device. If someone tries to monitor or intercept your web traffic while you’re connected to a VPN server on an unsecured network, all they’ll see is a meaningless combination of letters and numbers.

This prevents the WiFi operator from seeing your browsing activity, and it also prevents attackers from manipulating your internet traffic or coordinating an attack.

Free WiFi networks are much more secure than they used to be. However, public WiFi doesn’t come without risks. If you don’t take necessary precautions, your traffic may still be vulnerable to interception and manipulation by attackers.

If the WiFi hotspot is compromised or operated by an attacker, your data and device security could be at risk.

Here’s a more detailed list of the real dangers posed by public WiFi networks in 2023:

Unencrypted WiFi Networks

Most public WiFi networks are now password-protected, which means they’re encrypted. If you’re connected to a password-protected network and a user outside of the network intercepts your connection, they won’t be able to decrypt your data in order to understand it.

If you connect to a free WiFi network without a password, you’re using an unsecured connection without encryption, which is much less secure. In this case, everything you do online can be captured and understood by other people within range.

Even if you’re connected to a password-protected network, there are still potential risks. Firstly, the person running the access point can still intercept and understand what you’re doing, so you’re relying on the network owner being trustworthy.

Secondly, it’s still technically possible to intercept and decipher your web traffic on a password-protected WiFi network. It all depends on the security of the WiFi network.

For example, on a network using WEP encryption, all data is encrypted with the pre-shared key you used to get on the network (i.e. the WiFi password). That means everyone on the network can decipher everyone else’s traffic without a problem.

It’s a little more difficult on WPA-PSK or WPA2-PSK networks, which use individual, per-session encryption keys. However, it’s not impossible. Those keys are derived from the pre-shared key (the WiFi password), which still poses a potential risk.

On WPA-Enterprise or WPA2-Enterprise networks, all the per-client per-session keys are derived completely independently, which means it’s impossible to decode other users’ traffic. In this case, an attacker would have to set up a fake hotspot to gain access to your data.

HTTPS vs HTTP Websites

Most websites today use an encrypted connection called HTTPS, which uses TLS (Transport Layer Security) to secure the information passing between your device and a web server.

HTTPS is an encrypted version of the HTTP protocol, a basic internet standard for accessing web pages. It stops most third parties from seeing what you’re doing on a website, and also stops them inserting malicious code into your web traffic.

If the website you’re visiting is HTTPS-enabled, you’ll see a padlock in the top left-hand corner of your browser’s address bar:

HTTPS has made public WiFi — and the Internet as a whole — much safer. However, HTTPS does not guarantee that you’re safe online, especially on public networks. You’re still vulnerable to some Man-in-the-Middle attacks, phishing, certificate authority issues, and to any vulnerabilities in SSL/TLS.

Most importantly, HTTPS won’t protect your DNS queries, which can be intercepted and manipulated to redirect you to an alternative server under their control. For this reason, we recommend using HTTPS in combination with a VPN.

HTTPS will prevent the WiFi network provider from seeing the individual pages you visit, but they will still see the domain names of the websites you’re browsing.

The most popular websites are all secured using HTTPS today, but you should look out for sites that aren’t. An attacker could easily monitor your activity or insert malicious code into unencrypted (HTTP) web traffic, and it can be monitored and logged by the WiFi provider, too.

Sites that have a secure connection may not default to it, either: Google reports that 3 out of the top 100 non-Google websites don’t. To stay safe on those sites, you’ll need to use a VPN or a browser extension that forces HTTPS connections.

Worryingly, 5% of Google’s visitors do not use HTTPS because the devices or software they’re using are too old to support modern encryption standards. If you’re using an outdated device that doesn’t support HTTPS, consider upgrading if you can.

Man-in-the-Middle (MitM) Attacks

A Man-in-the-Middle (MitM) attack refers to any scenario in which a malicious third party interrupts or alters the communication between two systems.

When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to.

On an unsecured network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.

An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.

Hackers can also trick people into revealing or changing their passwords, exposing highly personal information.

MitM attacks are popular with hackers because they are cheap, easy, and effective. All a hacker needs is something like the WiFi Pineapple — a portable device that looks a bit like a WiFi router, and costs just $120.00.

These simple devices enable virtually anyone to create a fake WiFi access point and carry out a Man-in-the-Middle attack. They are commercially available and sold in most computer hardware stores.

The WiFi Pineapple can interface with hundreds of devices at a time. Security researchers use it to execute attacks on public WiFi networks in order to test how safe the network is and learn how to protect it against attacks.

However, it’s clearly a dangerous tool in the wrong hands. Attackers can easily use the WiFi Pineapple to gather sensitive personal data from unwitting public WiFi users.

The WiFi Pineapple can also be used to run SSLstrip, software that changes secure HTTPS requests to their insecure HTTP equivalent.

Modern browsers are designed so that web servers can tell browsers they should use HTTPS, which helps fight against this. However, this protection doesn’t take effect until your second visit to the site.

Fake Hotspots & Evil Twin Attacks

Fake hotspots or ‘Evil Twin attacks’ are among the most common and most dangerous threats on public WiFi connections. An attacker can use them to steal your unencrypted data and infiltrate your device.

To carry out this attack, an attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect. Less sophisticated hackers may even choose names like ‘FREE INTERNET’ to entice people.

An Evil Twin attack is very easy to pull off — you can see this seven year-old doing it in 11 minutes.

WiFi Pineapples can even actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks. Fake hotspots can impersonate a familiar network by copying those SSID signals.

This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a network that they’ve previously connected to.

It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to unknown free WiFi networks because they had targeted names like ‘I Vote Republican! Free Internet’. As a result, 68% of users at the convention exposed their identities when they connected.

These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.

Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious.

DNS Spoofing

DNS Spoofing or ‘DNS cache poisoning’ is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.

DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain you’re looking for (e.g. example.com).

DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for ‘example.com’, any user trying to access that website would be sent to a different IP address specified by the hacker.

In this way, attackers can send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.

Often, public WiFi hotspots are operated by small businesses that do not have the technical knowledge to keep the router fully secure. They might not have changed the default password and probably haven’t updated the firmware.

Hackers can install malware on insecure routers. This malware sends all the DNS queries to their malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.

Session Hijacking

Session hijacking is another type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts. It is much less of a risk than it used to be, thanks to the rise of HTTPS.

‘Sessions’ are temporary states established between two communicating devices, such as your device and a web server. The session is established using authentication protocols that ensure the devices know who each other are.

When you log onto a website you are assigned a session cookie — a file containing details about your interaction with the web server. As you browse the website, the server will ask your machine to authenticate itself by resending this cookie.

Session hijacking copies these cookies to impersonate your device and steal your identity.

The most valuable session cookies are those sent to users logging in to highly-secure websites, such as shopping or banking sites.

On an unsecured network, attackers can use specialized software called ‘session sniffers’ to identify and intercept your session cookies.

Session sniffing software is incredibly easy to access, even though it is illegal to use it for eavesdropping and data snooping.

There are several steps you can take to protect your data and device on public WiFi networks.

In this section, we’ll talk you through using a VPN to encrypt your web traffic, how to change your browsing behavior, and how you can configure your device settings for better security.

1. Use a Virtual Private Network (VPN)

If you use public WiFi networks regularly, then a virtual private network (VPN) is the best investment you can make toward security and peace of mind.

A top-rated VPN tackles all of the potential threats we’ve mentioned in this guide, regardless of the network you’re on. In short, a VPN keeps your browsing secure by encrypting your internet traffic, routing it through a secure tunnel, and masking your true IP address.

VPNs create a secure tunnel between your device and a private VPN server. This server then forwards your traffic on to the website or application you’re accessing.

When you use a VPN, all of your web traffic is encrypted. If someone is monitoring your internet connection, all they’ll see is a meaningless combination of letters and numbers.

This stops even the WiFi operator from being able to monitor your activity, and prevents attackers from manipulating your web traffic. If the VPN has its own first-party DNS servers, your DNS requests cannot be spoofed or diverted either.

It’s still possible for a VPN to be hacked through vulnerabilities in its servers or connection protocols. It’s not a bulletproof tool for complete online security, but it’s still an essential part of any security-conscious user’s toolkit.

2. Change Your Browsing Behavior

While public WiFi is much safer than it used to be, you can’t totally eliminate the risk. Routers can get hacked remotely, and hotspots can be set up by hackers in busy places to harvest information.

As a result, it’s still necessary to be mindful of your online behavior when you’re using a network you’re not familiar with — especially if you’re not using a VPN service.

3. Change Your Device Settings

There are some simple adjustments you can make to your devices that will make them far less susceptible to attacks:

Turn Off Automatic WiFi Connection

One of the first things you should do is turn off automatic WiFi connections. This will stop your device from connecting to random open hotspots.

To turn off automatic WiFi connections on Windows:

1. Navigate to the Settings menu.
2. Click Network & Internet > Wi-Fi > Manage Known Networks.
3. Select any network you don’t want to automatically connect to.
4. Uncheck the option labeled ‘Connect Automatically When in Range’.

To turn off automatic WiFi connections on a Mac:

1. Navigate to the System Preferences menu.
2. Select ‘Network’.
3. Select any network you don’t want to automatically connect to.
4. Toggle the ‘ask to join networks’ switch to prevent automatic connection.

To turn off automatic WiFi connections on an iPhone:

1. Navigate to the Settings menu.
2. Tap on the ‘WiFi’ option.
3. Select any network you don’t want to automatically connect to.
4. Toggle the ‘Auto-Join’ switch to prevent automatic connection.

Enable Your Firewall

A firewall is a network security feature that monitors the traffic flowing to or from your network. It allows or blocks traffic based on a set of predefined security rules, and helps to prevent unauthorized access to your device.

Most computers now use a firewall by default. If you’re not sure whether your firewall is on or off, it’s worth checking.

To enable the firewall on Windows:

1. Open the Start menu and navigate to Settings.
2. Choose ‘Privacy & Security’.
3. Select ‘Windows Security’ and then ‘Firewall & Network Protection’.
4. Make sure the firewall is on.

To enable the firewall on a Mac:

1. Open the System Preferences menu.
2. Choose ‘Security & Privacy’.
3. Select the ‘Firewall’ tab at the top of the page.
4. Unlock the window by clicking the lock in the bottom-left corner.
5. Click ‘Turn On Firewall’ to enable the firewall.

Software Updates

It’s important to keep your computer, laptop, or phone as up-to-date as possible. Fortunately, most software updates are enabled automatically.

Software updates usually contain security patches. These will protect you against known vulnerabilities that hackers can easily exploit.

It’s possible to trigger a fake software update on your computer if you’re on a public network. For this reason, you should never download software updates over public WiFi — particularly if the alert box pops up while you’re on that hotspot.

Make sure to disconnect and check for updates when you’re on a secure and private connection.

Disable Sharing

It’s best to turn off file sharing, Bluetooth and AirDrop on your device unless you intend to use them. Having them on all the time is unnecessary and increases the risk of malware-infected files finding their way into your system.

Enable HTTPS-Only In Your Browser

Modern browsers include HTTPS-Only mode, which automatically moves you to the secure HTTPS version of a website if you find yourself on the unencrypted HTTP version.

If you were previously using the HTTPS Everywhere browser extension to do this, you don’t need it any more. As of January 2023, it’s now deprecated and mostly redundant.

To enable HTTPS-Only mode in Firefox:

1. Click the menu button and choose Settings.
2. Select ‘Privacy & Security’.
3. Scroll down to ‘HTTPS-Only Mode’.
4. Use the radio button to enable HTTPS-Only Mode in all windows.

To enable HTTPS-Only mode in Chrome:

1. Click the menu button and choose Settings.
2. Select ‘Privacy & Security’.
3. Select ‘Security’.
4. Scroll down to ‘Always Use Secure Connections’.
5. Click to toggle it on.

To enable HTTPS-Only mode in Edge:

1. Visit edge://flags/#edge-automatic-https in your browser.
2. Where it says Automatic HTTPS, choose ‘Enabled’.
3. Click the button to restart your browser. It will keep your open tabs.
4. Visit edge://settings/privacy in your browser.
5. Scroll down to ‘Automatically Switch To More Secure Connections With Automatic HTTPS’.
6. Select the radio button to ‘Always Switch From HTTP To HTTPS (Connection Errors Might Occur More Often)’.

Edge only offers HTTPS-Only as a developer feature for now, so hopefully it will become easier to enable and disable in the future.

To enable HTTPS-Only mode in Safari, Simply upgrade your browser to Safari 15 or later for macOS Big Sur and macOS Catalina. The browser automatically enables its HTTPS Upgrade feature.

Enable DNS over HTTPS

As we’ve already mentioned, your DNS requests are still exposed during HTTPS connections. DNS over HTTPS (DoH) is a technology designed to cover these cracks by encrypting your DNS queries.

However, it only works if you’re using a compatible DNS server, such as Google Public DNS or Cloudflare.

In Firefox, you can enable DNS over HTTPS in the browser’s ‘Network’ settings.

In Chrome, DNS over HTTPS is called Secure DNS and it is enabled in: Settings > Privacy & Security > Security.

In Edge, find the option in: Settings > Privacy, Search and Services > Security > Use Secure DNS.

4. Enable Two-Factor Authentication

Enabling two-factor authentication (2FA) on your online accounts goes a long way to protect you against data theft.

With 2FA enabled, even if a hacker manages to get hold of your usernames and passwords, they won’t be able to log in to your accounts without additional verification codes.

If you’re going to use free public WiFi, we recommend installing a secure VPN. A VPN sets up an encrypted tunnel between your device and a remote server. This prevents anyone — including the WiFi hotspot operator — from snooping on your connection or interfering with it.

A good VPN will also have its own first-party DNS servers to protect you from DNS spoofing.

To use a VPN on public WiFi:

1. Subscribe to a trustworthy VPN service. Most secure VPNs are premium services, but they usually have a money-back guarantee if you change your mind. You can read our VPN reviews for help choosing the right service.
2. Install the VPN software. Download the VPN client and install it on your device.
3. Open the VPN client. It’s sensible to set it to start automatically when your device powers up, so you don’t run the risk of forgetting to turn it on.
4. Log in to your VPN account.
5. Choose a VPN server. In many cases, the VPN software can choose the nearest or fastest for you. However, you can choose a specific server if you need to change your VPN location or download content that’s restricted to another country.
6. Ensure the kill switch is enabled. This cuts the connection to avoid any data leaking if the VPN connection should fail.
7. You can now browse the web safely over public WiFi.

In the video below, we demonstrate how to download and set up a VPN service, using ExpressVPN as an example:

Using a VPN will hide your IP address and obscure your web traffic, but it won’t protect you from everything. You’ll still be vulnerable to the following risks:

• Any malware you download. You still need to be careful when downloading and installing software to ensure you’re using legitimate sources. Beware of phishing attacks or any attempts by the hotspot to get you to install unknown software.
• Malware that’s already installed on your device.
• Any other malicious content on web pages you download. If you visit a website that’s been compromised, the risk is the same with or without a VPN. You’re still inviting the content into your device.

What is the Best VPN for Public WiFi?

Based on our testing of over 65 VPN services, the best VPN you can get is ExpressVPN. It uses industry-leading security features to protect you on public WiFi networks, including AES-256 encryption, first-party DNS servers, and a kill switch to prevent data leaks if the VPN connection drops.

It’s available for Windows, Mac, Linux, Android and iOS. It will protect all of your web traffic, which is especially important on mobile devices where you can’t tell whether an app uses encryption or not.

Although it costs slightly more than some other VPN services, we think ExpressVPN is worth it.

If you’re on a tight budget, the best free VPN overall is Proton VPN Free. Like ExpressVPN, it offers AES-256 encryption and has a VPN kill switch. However, it has a limited number of servers and it doesn’t have its own DNS servers, so it won’t protect you from DNS spoofing.

How Do I Make Sure Public WiFi is Secure?

Always make sure you’re connecting to a legitimate WiFi network that’s password-protected. If you don’t know who’s operating the network, don’t connect to it.

The easiest way to make sure you are secure on public WiFi is to use a VPN, which will encrypt all of the traffic leaving your device.

Even if you’re connected to a compromised WiFi hotspot, a VPN will stop the hotspot operator snooping on your connection or manipulating your web traffic.

Is Public WiFi Safe With a VPN?

As long as you’re using a secure VPN provider with AES-256 encryption and a kill switch, public WiFi is actually safer when you’re using a VPN service.

VPNs establish an encrypted connection between your device and a remote server. When you’re connected to a VPN, your web traffic is shielded from malicious users on the same network who might try to intercept it.

Even though a VPN can significantly improve your security, it isn’t a bulletproof solution. VPN software won’t protect you from malware that’s already on your device, and it won’t prevent you from falling victim to phishing attacks.

Can Public WiFi See Your Browsing History?

If you’re not using a VPN, the WiFi owner can see which websites you visit, even if they’re encrypted using HTTPS. If the sites don’t use HTTPS encryption, the WiFi operator can see every individual web page you visit, too. Most routers keep a log of the websites visited through them.