How to Stay Safe on Public Wi-Fi

The café Wi-Fi problem is older than some of its users. You''ve heard the warnings. Maybe you ignore them, maybe you don''t. Either way, here''s the actual state of public Wi-Fi risk in 2026, what matters, and what''s overblown.

What public Wi-Fi actually exposes

A decade ago, "man-in-the-middle" attacks on public Wi-Fi were easy to pull off with a laptop and a free tool. Today, most of the web is HTTPS by default, which means the content of your traffic is encrypted even on an untrusted network.

But HTTPS isn''t a full shield:

• DNS queries often leak. Even with HTTPS, your device asks "what IP is example.com?" over an unencrypted DNS query unless you''ve enabled DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). On a public Wi-Fi, the network operator or anyone with access to it can see every domain you look up.
• TLS handshakes leak the destination hostname. Server Name Indication (SNI) is transmitted in plaintext in the initial handshake. Anyone on the network can log which sites you visit, even if they can''t read the content.
• Apps are inconsistent. Browsers enforce HTTPS aggressively. Apps often don''t. A surprising number of mobile apps still send data over plain HTTP, or misconfigure certificate validation in ways that allow interception.
• Rogue hotspots are real. Any device can broadcast a Wi-Fi network called "Starbucks" or "Hotel Guest". If you connect to one run by an attacker, every assumption about the network being neutral goes out the window.

What''s actually risky

Rank the risks honestly:

1. Credentials sent over HTTP. Some apps, especially older ones or sketchy internal tools, still do this. Catastrophic if intercepted.
2. Session cookies in apps with weak transport security. Even if login was HTTPS, cookies may be exposed later.
3. Location and activity tracking. The network operator sees which sites and services you use, even if not the contents.
4. Captive portal spoofing. The "click to connect" page on some hotels and airports is a great place to harvest information or install certificates.
5. Exposed shares. If your device still has file sharing enabled on trusted networks, connecting to a public network with the wrong profile can make those shares visible.

What''s NOT actually risky on a well-maintained modern device:

• Checking email via a modern mail app.
• Browsing mainstream HTTPS websites.
• Using iMessage, Signal, WhatsApp — all use end-to-end encryption.

The realistic defense

The honest answer is: you can solve most of this by doing three things.

1. Use a VPN whenever you''re on an untrusted network. This collapses the attack surface entirely — the operator sees one encrypted connection to a VPN server, nothing more. DNS queries go through the VPN. SNI goes through the VPN. Apps with sloppy transport security get protected anyway.

2. Enable automatic Wi-Fi protection where it''s available. Recent iOS and Android versions support "always-on VPN" or "on-demand" connection rules that kick in whenever the device joins an unknown network. Doppler supports this on both platforms.

3. Turn on encrypted DNS. Even without a VPN, DoH or DoT closes the DNS leak on any network. This is a baseline.

What about "free Wi-Fi" with a captive portal?

Captive portals — the "agree to these terms" pages — are a classic ingress for unwanted software. A few habits help:

• Never install a profile, certificate, or app a captive portal asks you to. No legitimate network needs one.
• Do the captive-portal login first, then connect your VPN immediately after.
• Treat the first two minutes on any public network as the riskiest window — nothing is protected until the VPN tunnel is up.

The short version

Public Wi-Fi in 2026 isn''t as dangerous as it was in 2015, but it''s still a network you don''t control, watched by people you don''t know. Use a VPN. Keep encrypted DNS on. Don''t install anything a Wi-Fi login page asks you to install.

It takes less effort than worrying about it.

Doppler VPN runs on-demand on iOS, Android, macOS, and Windows, connecting automatically whenever you join an untrusted network. Try it free.