πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Security β†’ Public WiFi Risks

Public WiFi Risks
(Honest Version).

Less catastrophic than VPN marketing suggests, but still a meaningfully hostile environment. Here's what's actually risky in 2026 and what a VPN does about it.

⚑ Reality check

"All your data is stolen on public WiFi" β€” that was true in 2010, when most traffic was unencrypted HTTP. Today ~95% of web traffic is HTTPS, and the catastrophic packet-sniffing attacks (Firesheep, anyone?) mostly don't work. But "public WiFi is safe now" is also wrong. The remaining risks are real, just different from what you might expect.

What used to be dangerous

In the late 2000s and early 2010s, the canonical public-WiFi attack was simple: open packet capture (Wireshark or a Firesheep-style tool) on a coffee-shop network, and read everything that wasn't HTTPS. Most websites at the time used HTTPS only for login pages and sent everything else in plain text β€” including session cookies. An attacker could grab a Facebook session cookie from someone on the same WiFi and impersonate them within minutes.

This attack effectively no longer works on the modern web. The HTTPS migration (driven by Let's Encrypt, browser warnings about HTTP, and the SEO ranking boost Google gave HTTPS sites) was largely complete by 2018. Email, banking, social media, and almost all major sites are HTTPS-only.

What's actually dangerous now

1. Metadata exposure (SNI + DNS + IP)

Even with HTTPS, your traffic leaks metadata in plaintext:

  • SNI: the TLS handshake includes the hostname you're connecting to. An attacker on the WiFi can see "you connected to bankofamerica.com" even though they can't see the page contents.
  • DNS queries: if you're using the WiFi's DNS resolver (default), every domain you query is visible in plaintext to whoever runs that resolver.
  • Destination IPs: visible in packet headers. Less precise than SNI but still indicative.

Result: an observer learns which sites you visit, when, and how much data flows. They don't learn what you do on those sites β€” but the metadata alone is often enough.

2. Evil twin access points

An attacker creates a fake AP with the same SSID as the legitimate one (e.g., "Starbucks_Free" or "HotelWiFi") and waits for devices to auto-connect. Devices generally prefer stronger signals, so an attacker physically close to the target can win the race.

Once you're on the fake AP, the attacker controls:

  • DNS responses (can redirect you to phishing sites).
  • Captive portal (can present fake login pages to harvest credentials).
  • Plaintext traffic (any non-HTTPS connections).
  • SSL stripping attempts (forcing HTTP downgrades on sites that don't enforce HSTS).

Evil twin attacks are more common at airports, hotels, and conferences than at random coffee shops, but they're not rare.

3. Captive portal manipulation

The "click to accept terms" page on hotel WiFi works by intercepting HTTP traffic and redirecting it to the login page. The technology is benign per se, but it relies on plaintext HTTP being interceptable.

A malicious operator can:

  • Inject JavaScript or ads into the captive portal page (some hotels and ISPs have done this commercially).
  • Present a fake login page that harvests credentials.
  • Use the captive portal redirect to fingerprint your device.

You can't avoid the captive portal β€” you need it to get internet β€” but the security exposure is bounded to the portal interaction.

4. SSL stripping (mostly mitigated)

SSL stripping attempts to downgrade your HTTPS connection to HTTP by intercepting the initial redirect. Modern browsers and HSTS (HTTP Strict Transport Security) protect against this for most major sites. But sites without HSTS, or first-visit connections to new sites, can still be stripped.

5. Network discovery and lateral attacks

Once you're on a WiFi network, your device may be discoverable to other devices on that network β€” depending on AP configuration. If client isolation isn't enabled, other devices can:

  • Scan for open ports on your device.
  • Attempt to exploit known vulnerabilities.
  • Probe shared services (network printers, file sharing, AirDrop, etc.).

Modern OS defaults make most of these attacks fail (no open file shares, firewalls block ports by default), but devices with old firmware or unusual configurations are more vulnerable.

What a VPN does about all this

ThreatHTTPS aloneHTTPS + VPN
Plaintext sniffingProtectedProtected
SNI / DNS / IP metadataLeaksEncrypted in tunnel
Evil twin APPartial (HTTPS warns on cert)Tunnel exits at VPN, not local AP
SSL strippingMostly protected (HSTS)Doesn't matter β€” tunnel is the cert
Captive portal abuseVulnerableVPN can't activate until you're past portal β€” careful
Lateral network attacksVulnerableVPN doesn't help (device firewall does)

Bottom line: a VPN is meaningful protection on public WiFi for the metadata layer and against rogue AP attacks. It's not magic. It doesn't replace device firewalls, OS updates, or sensible behavior (don't enter passwords before the VPN is connected).

Practical guidance

  1. Connect to the WiFi.
  2. Get past the captive portal if there is one.
  3. Immediately connect your VPN before opening anything else.
  4. Enable kill switch so traffic blocks if the VPN drops.
  5. Verify with our IP check that the tunnel is active.
  6. Avoid logging into anything sensitive in the brief window before the VPN is connected (mostly during the captive portal phase).

For step-by-step instructions specific to ClownVPN, see our practical public WiFi guide.

Related reading

πŸŽͺ FAQ

Is public WiFi actually dangerous in 2026?
Less dangerous than it was a decade ago, but not safe. HTTPS now covers ~95% of web traffic, which means casual packet sniffing (the classic 'Firesheep' attack from 2010) doesn't work the way it used to. The remaining risks are mostly metadata exposure, captive-portal manipulation, and targeted attacks like evil twin APs. The marketing line 'all your data is exposed on public WiFi' is outdated; the underlying point that public WiFi is a hostile environment is still valid.
What's an 'evil twin' attack?
An attacker sets up a fake WiFi access point with the same name (SSID) as the legitimate one β€” for example, 'Starbucks_WiFi' β€” and tricks devices into connecting to it instead. Once connected, the attacker can intercept traffic, run DNS spoofing, attempt SSL stripping, or harvest credentials through fake login portals. The attack is real but requires effort; it's more common at airports, hotels, and conferences than at random coffee shops.
Does HTTPS make a VPN unnecessary on public WiFi?
Not quite. HTTPS encrypts content and the URL path but leaks the destination hostname (via SNI in TLS) and the destination IP. So on hostile WiFi, an attacker can still see which sites you're visiting, even though they can't see what you do on them. They can also do timing analysis to infer activities. A VPN closes the metadata leak. HTTPS + VPN is meaningfully more private than HTTPS alone on untrusted networks.
Should I use cellular data instead of public WiFi?
Cellular is generally lower-risk than open WiFi because the encryption layer between your device and the carrier is harder to compromise than WiFi. The trade-off is that cellular data has its own privacy issues (carrier tracking, cell tower location logging, SS7 vulnerabilities for SMS). If you have unlimited cellular and the choice is 'sketchy hotel WiFi vs LTE,' use LTE. Add a VPN if you want both confidentiality and metadata privacy.
Are captive portals a security risk?
Yes, modestly. Captive portals (the 'Click here to accept terms' page on hotel/cafe WiFi) intercept HTTP traffic to redirect you to the login page. They're often run on legitimate infrastructure but the same technology can be abused β€” a malicious operator could redirect to a fake login page that harvests credentials, or inject scripts. Once you're past the captive portal, the network behaves normally. A VPN doesn't help you get past the portal (you need clear-text HTTP to authenticate), but it activates immediately after.

πŸŽͺ WiFi Survival Kit

Free, fast, works in 30 seconds. Use before the captive portal.

πŸ€– Get The Free App