← back to blog
4 min read
  • #security
  • #wifi
  • #vpn
  • #threat-model

Public wifi: what I actually worry about

HTTPS killed most of the old public wifi attacks. Here is what still worries me: evil twin networks, fake captive portals, and the person sitting behind you.


I do a lot of work on public wifi. Coffee shops in Heber City, the library, ski lodge wifi when I am up in Park City. Every VPN ad says this is reckless, that some guy in a hoodie is pulling my passwords out of the air. Most of that picture is about ten years out of date.

I am studying for Security+ SY0-701 and eJPT right now, so wireless attacks are literally on my flashcards. Here is my honest threat model for public wifi: what actually worries me, and what is mostly marketing.

The problem HTTPS already solved

The classic scare story goes like this. You join the coffee shop network, an attacker on the same network sniffs the traffic, and they read your bank password in plain text. That was a real attack. Firesheep made it point and click back in 2010.

Then the web moved to HTTPS. Today almost every site you care about encrypts traffic between your browser and the server. Your bank, your email, this site. Someone sniffing the coffee shop network can see which sites you connect to, but not what you send or read. The padlock era killed passive sniffing for most people.

That does not mean public wifi is now safe. It means the risk moved. Three things survived the move, and they are what I actually pay attention to.

What actually worries me

Evil twin networks. Anyone can broadcast a network named "CoffeeShop_Guest" from a laptop or a cheap board. Your phone happily joins the strongest signal with a name it recognizes, and now the attacker is your router. HTTPS still protects most of your traffic, but they control DNS, can serve you a fake login page, and can watch anything that is still unencrypted. My rule: ask staff for the exact network name, and delete public networks from my saved list so my phone does not auto-join look-alikes later. The auto-join part is the sneaky bit. Your phone quietly announces the names of saved networks everywhere you go.

Captive portals. The login pages where you enter your email or a room number. Two problems. First, they train people to type personal info into an unverified page that interrupted their connection, which is exactly how a phishing page behaves. Second, a fake portal on an evil twin can ask for anything: an email and password, a "sign in with Google" button, a card number for premium speed. If a portal asks for a real account password, I close it. No coffee shop needs your Google password to give you wifi.

Shoulder surfing. The least technical threat and honestly the most likely one. It is on the Security+ objectives for a reason. If I unlock my password vault or type a passphrase in a crowded cafe, the person behind me does not care how strong the encryption is. I sit with my back to a wall when I am doing anything sensitive. Low tech problem, low tech fix.

What the VPN ads get wrong

VPN marketing needs you to believe public wifi is a war zone, because fear sells subscriptions. The pitch that hackers can see everything you do without a VPN was mostly true in 2010 and is mostly false now. HTTPS already encrypts the content.

Here is what a VPN actually does on public wifi. It hides which sites you visit from the network operator, and it protects the small slice of traffic that is still unencrypted. Those are real benefits. They are just modest ones. A VPN does not stop a fake captive portal from phishing you, does not stop shoulder surfing, and does not fix a password you reuse on twelve sites.

And there is a tradeoff nobody puts in the ad: a VPN moves your trust from the coffee shop to the VPN company. You are not removing a middleman, you are choosing a different one. If you picked a free VPN, you probably chose a worse one, because free VPNs have to make money somehow and your traffic is the obvious product.

My actual checklist

What I do on public wifi, roughly in order of how much it matters:

  • Keep the OS and browser updated. Boring, and it beats everything else on this list.
  • Use unique passwords from a password manager, plus 2FA. Then one stolen login stays one stolen login.
  • Confirm the network name with staff before joining.
  • Never type a real account password into a captive portal.
  • Turn off auto-join for public networks and prune the saved list.
  • Treat certificate warnings as the alarm going off. On a strange network, do not click through one, ever.
  • Back to the wall for anything sensitive.

Notice what is not on the list: panic. I ship code from coffee shops all the time, and once from a chairlift on my phone with Termux. Updated software plus HTTPS plus a password manager covers almost everything I do in public.

If you run a local business, the same logic applies to your website. The scary sounding stuff is usually not the real risk. The real risk is the boring stuff: an expired certificate, no HTTPS redirect, a contact form nobody has tested in a year. I do a free 24-hour audit, three real findings, yours to keep either way. Grab it at /audit.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.