
Summarise this article with:
Most public WiFi attack warnings are built on a 2013 threat model. In 2013, tools like Firesheep could grab session cookies off open WiFi in seconds because most web traffic was unencrypted. That world is mostly gone. Today, roughly 95-99% of web traffic travels over HTTPS, session cookies carry Secure and HttpOnly flags, and browsers enforce HTTPS Strict Transport Security on major sites. The classic attacks are largely neutralized.

That does not mean public WiFi is safe. It means the threat model has shifted, and the risks that remain are different ones.
The Myth: Classic Coffee-Shop Attacks Are Still Devastating
Packet sniffing passwords and reading your email
Tools like Wireshark can still capture every packet on a shared WiFi network. What attackers find is almost entirely encrypted ciphertext they cannot read. A decade ago this technique yielded plaintext credentials from HTTP login forms, unencrypted email, and readable session cookies. On a modern network the same capture produces noise.
The small minority of HTTP sites still in the wild are the exception. If your browser shows a padlock, the content is encrypted.
Cookie sidejacking (Firesheep-style attacks)
The old "sidejacking" attack worked because session cookies were transmitted in plaintext. Browsers now send cookies with the Secure flag (HTTPS-only), HttpOnly (inaccessible to scripts), and SameSite restrictions. Over-the-air cookie theft from HTTPS sessions is not a realistic coffee-shop attack in 2026.
Session hijacking still happens at scale in 2026, but through infostealers installed on endpoints and adversary-in-the-middle phishing proxies that intercept tokens after authentication. Neither attack requires you to be on public WiFi.
Malware injected into downloads over WiFi
This required the network operator to intercept HTTP traffic and modify it in transit. HTTPS with integrity verification (the MAC on each TLS record) makes this technically impossible on encrypted connections. It can still happen on HTTP downloads, which is one reason to treat any file downloaded over HTTP with suspicion regardless of network.
The Reality: What Actually Threatens You in 2026
Evil twin networks
This is the attack that scales with HTTPS and remains genuinely dangerous. An attacker creates a WiFi hotspot with an identical or near-identical name to the legitimate network. "Starbucks_WiFi" could be the real network or a rogue access point on a nearby laptop. Most devices auto-join known network names, so your phone may connect silently.
What can the attacker do once you are on their network? They cannot silently decrypt your HTTPS sessions. What they can do is serve a convincing captive portal login page, observe which domains you visit via DNS and SNI metadata, and position themselves for credential phishing.
Before connecting anywhere, ask staff for the exact network name and password. Verify the name character by character.
Fake captive portals and credential harvesting
Most public networks require you to pass through a captive portal before getting internet access. Attackers combine an evil twin with a pixel-perfect imitation of the venue's login page.
A controlled study found 52% of participants entered their email credentials when presented with a fake "Sign in with Google" portal that appeared on a rogue network. The portal can mimic a hotel's branding, colors, and logo exactly.
Red flags: Any captive portal that asks you to log in with your Google, Microsoft, or Apple credentials should stop you immediately. Airports and hotels do not need access to your identity provider. A certificate warning when the portal loads is another stop sign.
Also avoid portals that ask for email addresses plus passwords. Legitimate venue portals typically collect only an email address and accept a checkbox.
DNS and SNI metadata leaks
HTTPS encrypts the content of your connections but leaves two pieces of metadata exposed to anyone on the local network or operating the network:
- DNS queries: When your device looks up
yourbank.com, that query is often sent in plaintext. The DNS resolver, the network operator, and a local attacker with a packet capture can all see which domains you visit. - TLS SNI (Server Name Indication): Even after the DNS lookup, the TLS handshake includes the hostname in plaintext so the server knows which certificate to present. Anyone observing the connection sees the destination domain.
A VPN routes both DNS and the SNI field through an encrypted tunnel, hiding domain-level browsing from the local network. You can check whether your DNS queries are exposed with our DNS Leak Test. After connecting a VPN, run our VPN Leak Test to confirm nothing is slipping through.
Encrypted Client Hello (ECH), which encrypts the SNI field, is now supported in Firefox by default and gaining infrastructure support from Cloudflare and NGINX, but it is not yet universal. A VPN remains the more reliable protection today.
The remaining HTTP minority
Roughly 8-12% of websites still serve content over HTTP. On these sites, the old attacks work: content is readable, forms transmit credentials in plaintext, and a network-level attacker can modify responses. Most modern browsers flag these sites, but users often click through warnings.
In my testing, major services (banking, email, social, shopping) are uniformly on HTTPS with HSTS enforced. The HTTP survivors are mostly small or abandoned sites. Still, any sensitive action on an HTTP site over public WiFi is genuinely risky.
Network operators watching you
Legitimate venue operators, including hotel chains and airport concession networks, often log DNS queries per device and use commercial analytics platforms that track behavior across sessions. Captive portal terms of service frequently grant permission for this logging. This is not an attack; it is the business model.
Running DNS over HTTPS or a VPN prevents the network operator from seeing your DNS traffic.
What HTTPS Does and Does Not Protect
| Protected by HTTPS | Not Protected by HTTPS |
|---|---|
| Content of requests and responses | Which domains you visit (DNS + SNI) |
| Login credentials on HTTPS forms | Connection timing and data volume |
| Data integrity (cannot be modified in transit) | Whether you connected at all |
| Session cookie values in transit | Captive portal phishing |
HTTPS is the most important security layer on public WiFi, but it is not the complete picture.
How to Actually Protect Yourself
On device settings: turn off auto-join
Your device auto-connecting to known network names is what makes evil twin attacks work.
- iPhone (iOS 16+): Settings, tap Wi-Fi, tap the (i) next to a saved network, toggle off Auto-Join.
- Android: Settings vary by manufacturer. In Stock Android, go to Wi-Fi, tap the saved network, then turn off Auto-Connect. On Samsung, check Wi-Fi, Saved networks.
- Windows 11: Settings, Network and Internet, Wi-Fi, Manage known networks, select the network, toggle off "Connect automatically."
- macOS Sequoia/Sonoma: System Settings, Wi-Fi, click Details next to the saved network, toggle off "Automatically join this network."
Forget public networks entirely after use. There is no reason to store "AirportFreeWifi_Gate12."
Use a VPN for metadata privacy
A VPN hides DNS queries, the SNI field, and any remaining HTTP traffic from the local network and operator. Connect it before you do anything else on public WiFi. It does not protect against a fake captive portal before the VPN is active, so connect to the VPN as soon as you authenticate to the portal.
NordVPN includes a Threat Protection feature that blocks malicious domains in addition to tunneling traffic, which helps with portal-delivered phishing attempts.
After connecting, confirm your VPN is working with our VPN Leak Test.
Verify the network name before connecting
Ask a staff member for the exact network name, including capitalization and spacing. Do not rely on signal strength to identify the real network. An evil twin attacker intentionally boosts their signal.
Use your phone's hotspot for sensitive tasks
For banking, payroll, or anything that would hurt if compromised, tether to your phone's cellular connection. Cellular traffic is encrypted between your device and the carrier's infrastructure, and the physical constraints of cellular networks make active interception orders of magnitude harder than WiFi attacks.
Check what you expose
Our Browser Fingerprint tool shows what identifying information your browser broadcasts. On public WiFi, metadata from DNS and SNI plus a distinctive browser fingerprint makes you easy to track across sessions. See also What Can Someone Do With Your IP Address for context on what the network operator learns just from connection metadata.
Special Situations
Hotel WiFi
Large chains operate managed network infrastructure, but third-party providers often handle the actual system and may log and sell usage data. The credential-harvesting risk is lower at a Marriott than at a no-name hostel, but the metadata logging risk is comparable or higher due to commercial analytics tools.
Airport WiFi
High traffic density gives attackers cover. Travelers are distracted and often accessing accounts they would not check at home. Airports are the most frequently cited venue in documented evil twin and portal phishing cases. My rule: use your carrier's hotspot in airports unless nothing sensitive is involved.
Coffee Shop WiFi
Small venues rarely run dedicated IT. Routers may use default credentials, outdated firmware, and no client isolation (clients on the same network can communicate with each other). Client isolation is a router setting that prevents device-to-device traffic on the same network. Without it, a local attacker can attempt connections to your device.
Public Transport WiFi
Train, bus, and plane WiFi is almost always shared and unencrypted at the radio layer. VPN performance is often degraded on bandwidth-limited transport networks, but the encrypted tunnel still provides metadata protection even when it is slow.
Frequently Asked Questions
Is public WiFi safe if I only visit HTTPS sites?
For content protection, yes. HTTPS encrypts everything you send and receive, so an attacker cannot read your login credentials or personal data. What remains exposed is which domains you visit, visible through DNS queries and the TLS SNI field. A network operator or local attacker sees your browsing destinations even if they cannot read the content. For full protection you need HTTPS plus a VPN or DNS over HTTPS.
Can someone still steal my session cookies on public WiFi in 2026?
Not through the classic over-the-air method. Session cookies on HTTPS sites carry the Secure flag, which means browsers only transmit them over encrypted connections. An attacker sniffing WiFi traffic sees encrypted ciphertext, not cookie values. Session hijacking still happens in 2026, but through endpoint malware (infostealers) and phishing proxies, not through packet sniffing on a shared network.
What is an evil twin attack and how do I spot one?
An evil twin is a rogue WiFi access point broadcasting the same name as a legitimate network. Your device connects to it instead of or in addition to the real network. Signs include a captive portal asking for identity provider credentials (Google, Microsoft, Apple), certificate warnings, and unusually fast authentication (no backend verification needed for a fake portal). Ask staff for the exact network name and connect to the VPN before logging into anything.
Does a VPN protect me from captive portal phishing?
Partially. If you connect a VPN after passing through a legitimate-looking captive portal that was actually fake, the VPN does not undo credentials you already typed into the phishing page. The VPN protects the tunnel once it is active. The defense against portal phishing is recognizing the red flags: identity provider login requests, certificate warnings, and requests for passwords rather than just an email address.
Does public WiFi at a hotel or airport log what sites I visit?
Almost certainly. Venue networks and their third-party operators commonly log DNS queries per device and connection metadata. Captive portal terms of service typically grant permission for this collection. A VPN or DNS over HTTPS prevents the operator from seeing DNS queries. Without that, your domain-level browsing history is visible to the network operator even on fully HTTPS connections.
Sources
- HTTP Archive Web Almanac 2025, Security chapter
- CDT: Encrypted Client Hello, Closing the SNI Metadata Gap
- Apple Support: Forget a Wi-Fi network or prevent your device from automatically joining it
- SANS ISC: Encrypted Client Hello, Ready for Prime Time?
- JumpCloud: What Is an Evil Twin WiFi Attack?
- Purple.ai: Is a Captive Portal Login Safe?
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.