CyberSearch .in
SUBSCRIBE
← All articles
WI-FI · 7 min read

Public Wi-Fi survival guide for travellers

What's actually risky, what isn't, and the 3-step routine to stay safe.

cover image

Public Wi-Fi advice is stuck in 2012. You’ve heard the warnings — “hackers can see everything you do!” — usually followed by an ad for a VPN. The truth in 2026 is more interesting: the classic coffee-shop attack is mostly dead, but a few real risks remain, and they’re not the ones the ads talk about.

Let’s separate the threat model from the theatre.

What changed: HTTPS ate the eavesdropper

The scary scenario — someone on the same network reading your passwords out of the air — depended on websites sending traffic unencrypted. That era is over. Well over 95% of web traffic today travels over HTTPS: everything between your device and the site is encrypted before it leaves your device, and the network can’t read or alter it.

Someone sniffing café Wi-Fi while you bank sees which sites you contact (via DNS and connection metadata) — not your password, not your balance, not the contents of anything. Modern browsers also treat plain-HTTP pages as exceptional: warnings, broken padlocks, refusal to autofill passwords.

The related classic, sslstrip (silently downgrading you from HTTPS to HTTP), is likewise mostly extinct — banks and major services use HSTS, which tells your browser to never connect to them unencrypted, and browsers increasingly default to HTTPS for everything.

What’s actually still risky

Fake hotspots (evil twins). Anyone can broadcast a network named Airport_Free_WiFi from a laptop or a phone. Connecting to an attacker’s hotspot doesn’t let them break HTTPS — but it does hand them your DNS queries, your unencrypted traffic (rare, but it exists), and a perfect stage for the next item.

Captive-portal phishing. That login page asking you to “sign in with email and password to get free Wi-Fi”? On a hostile hotspot it can be a credential harvester dressed as a portal. Legitimate portals ask you to accept terms or enter a room number — they don’t need your email password. Never reuse a real password on a Wi-Fi portal.

Your device’s other doors. On an untrusted network, the network can talk to you: file sharing, AirDrop-style services, local network discovery. If your laptop is set to “trust this network like home Wi-Fi”, nearby strangers may reach services you never meant to expose.

Old protocols and apps. Email clients still configured for plaintext, apps that skip certificate checks, that one internal tool from 2015. Rare, but this is where the residual interception risk actually lives.

The 3-step routine

Before you travel, do these once:

  1. Mark public networks as public. When your OS asks “Should this device be discoverable on this network?” — the answer on public Wi-Fi is always no. This closes file sharing and local discovery, which shuts the most realistic attack paths.
  2. Turn on your OS/browser DNS protection. Enable “Secure DNS” / DNS-over-HTTPS in your browser or OS settings. It encrypts the one part of your browsing a hostile network still reliably sees — and breaks most portal-level DNS tricks. (Curious what DNS reveals? Try our IP & DNS Lookup tool.)
  3. Keep auto-join off for open networks. Your phone remembering CoffeeShop_Free and silently rejoining anything with that name, anywhere in the world, is exactly how evil twins get their traffic.

And whenever you connect somewhere new:

  • Prefer your phone’s hotspot for anything sensitive — cellular is a fine trust boundary and tethering is cheap now.
  • If a portal asks for a password to an account you own, close it and use mobile data.
  • Watch for certificate warnings. On a public network, “proceed anyway” is never the right button. That warning is your browser telling you interception is happening right now.

So do you need a VPN?

Sometimes — for reasons mostly unrelated to the ads. A reputable VPN on public Wi-Fi buys you: hiding which sites you visit from the local network, protection for any lingering non-HTTPS traffic, and DNS that bypasses the hotspot entirely. That’s a real but modest gain when nearly everything is already end-to-end encrypted.

What a VPN does not do: make a phishing site safe, stop malware, or protect you from the fake portal you typed your email password into before the VPN connected. And it shifts trust rather than removing it — the VPN provider sees what the café would have.

Reasonable rule: if you travel often, a reputable paid VPN (or your own WireGuard server) is a worthwhile layer. If you connect to public Wi-Fi twice a year, your phone’s hotspot covers the same need with less complexity.

The bottom line

Public Wi-Fi in 2026 is not the minefield it’s marketed as — HTTPS won that war. The remaining risks are about which network you join (evil twins), what you type into portals (phishing), and what your device exposes locally (discovery and sharing). The 3-step routine handles all three, takes five minutes to set up, and costs nothing. Set it up before your next trip, and connect with appropriate — not theatrical — caution.

Written & tested by CyberSearch Get one tip a week →
KEEP READING

More from the blog

PHISHINGJul 2, 2026 · 6 min
Anatomy of a phishing email: 7 tells you can spot in 10 seconds

From mismatched senders to urgency traps — a visual field guide to reading a suspicious email the way an analyst does.

PASSWORDSJun 26, 2026 · 8 min
How password managers actually keep your secrets

Vaults, key derivation and zero-knowledge — explained without the jargon.

PRIVACYJun 19, 2026 · 5 min
Is your browser extension spying on you?

Permissions to check before you click "Add to browser".