Public WiFi in 2026: What's Actually Risky and What Isn't

TL;DR

Six attacks are still documented on public WiFi in 2026: Man-in-the-Middle (MITM), Evil Twin (fake hotspot), packet sniffing, ARP spoofing, session hijacking, and compromised captive portals. HTTPS protects content but not the SNI (the destination domain remains visible in plain text) — meaning the WiFi operator still sees which domains you visit. The only effective countermeasure is a VPN active before connecting to the network. Free VPNs are explicitly counter-productive on public WiFi: they monetize your data more thoroughly than the WiFi operator would.

What actually happens on a public WiFi connection

When you connect to a public WiFi network, several invisible steps happen between your device and the internet — and each one is a potential point of observation.

Step 1 — DHCP. Your device requests an IP address from the access point, which assigns one along with the local gateway and DNS servers (typically the operator's). This means the operator decides which DNS resolver you'll use.