The TLDR
Public WiFi used to be a digital minefield. In 2026, HTTPS protects the content of most connections even on compromised networks. But “most” isn’t “all,” and content isn’t everything. An attacker on the same network can still see which sites you visit, intercept connections to non-HTTPS sites, serve you fake captive portals, and in some cases strip encryption from connections that should be secure. The risk has decreased since 2015. It hasn’t disappeared.
The Reality
Let’s be honest about the threat model in 2026. The internet has changed:
- Over 95% of web traffic is now HTTPS
- Modern browsers show prominent warnings for non-HTTPS connections
- HSTS (HTTP Strict Transport Security) prevents downgrade attacks on major sites
- Certificate pinning prevents certificate forgery for sensitive services
This means the classic “sitting in a coffee shop reading everyone’s passwords” attack is largely obsolete. If you visit your bank over HTTPS on public WiFi, the content of that connection is encrypted and an attacker on the network can’t read it.
But here’s what they can still do:
- See which domains you connect to (DNS queries and SNI are often still visible)
- Set up a fake network that looks like the real one (evil twin)
- Intercept the initial connection before HTTPS kicks in
- Serve you a fake captive portal that harvests credentials
- Exploit the handful of connections that still use HTTP
How It Works
Evil Twin Attacks
An evil twin is a rogue access point that mimics a legitimate WiFi network. The attacker creates a hotspot with the same SSID as “Starbucks WiFi” or “Marriott_Guest.” Your device connects to whichever signal is stronger — which is the attacker’s access point, because they’re sitting 10 feet away.
Once you’re connected to the evil twin:
- All your traffic routes through the attacker’s device
- They can see your DNS queries (which sites you’re visiting)
- They can serve you a fake captive portal (“agree to terms” page that’s actually a credential harvester)
- They can modify non-HTTPS responses
Why your phone connects automatically: Most devices remember WiFi networks by SSID (name only, not the access point’s actual identity). If you’ve ever connected to “Starbucks WiFi,” your phone will automatically connect to any network with that name. The attacker exploits this.
ARP Poisoning
On a legitimate network, an attacker can use ARP (Address Resolution Protocol) poisoning to position themselves between you and the router. They send fake ARP messages telling the router “I’m this user’s device” and telling your device “I’m the router.” All traffic flows through their machine.
This is a MITRE ATT&CK technique (T1557.002) — Adversary-in-the-Middle: ARP Cache Poisoning.
SSL Stripping
SSL stripping intercepts the moment your browser upgrades from HTTP to HTTPS. When you type bank.com (without the https://), your browser first connects over HTTP, then gets redirected to HTTPS. An attacker in a MITM position can intercept the initial HTTP connection and keep you on an unencrypted version while they maintain an encrypted connection to the real server.
HSTS mitigates this for sites you’ve visited before (your browser remembers to always use HTTPS). But first visits are still vulnerable. This is why browsers like Chrome now default to HTTPS for all URLs.
DNS Spoofing
On a compromised network, the attacker controls the DNS resolver. When you look up bank.com, they return the IP address of their phishing server instead of the real one. Combined with a convincing fake certificate (or targeting sites that don’t use HTTPS), this redirects you to a credential harvesting page.
Encrypted DNS (DoH or DoT) defeats this — but only if your device is configured to use it, which most are not by default.
Captive Portal Risks
Hotels, airports, and coffee shops that use captive portals (“click to agree before you get internet”) create a unique vulnerability. The captive portal is essentially a man-in-the-middle by design — it intercepts your first web request and redirects it.
An evil twin can serve a captive portal that looks identical to the real one but asks for your email, room number, or even credit card — and you’ll enter it because that’s what you expect a hotel WiFi portal to ask for.
Juice Jacking
In 2023, the FBI issued a public advisory warning against using public USB charging stations at airports, hotels, and shopping centers. The concern: malicious charging ports that inject data or malware when you plug in via USB.
How it works: USB carries both power and data. A modified charging port or a malicious cable can establish a data connection with your phone and install malware, copy files, or establish remote access.
The practical risk: Juice jacking attacks in the wild are rare compared to the FBI advisory’s prominence. But the defense is simple — use a power-only USB cable (no data pins) or carry your own charger and plug into a wall outlet.
How It Gets Exploited
Hotel Network Attacks
The DarkHotel APT group specifically targeted business travelers through hotel WiFi networks. The attackers compromised hotel network infrastructure and served fake software updates to guests — installing spyware on devices used by executives, government officials, and researchers.
Conference Targeting
DEF CON’s famous “Wall of Sheep” has been displaying the credentials of conference attendees caught using insecure connections since 2002. At security conferences, this is educational. In the real world, the same techniques are used by attackers at trade shows, industry conferences, and corporate events where high-value targets congregate.
Credential Harvesting at Scale
In some documented cases, attackers set up evil twin networks in busy areas (airports, train stations) and simply collected whatever credentials people entered into fake captive portals over the course of a day. The volume approach — harvest thousands of email/password combinations and sell the list — doesn’t require targeting anyone specifically.
What You Can Do
Use a VPN on Public Networks
A VPN encrypts all your traffic from your device to the VPN server. Even on a compromised network, the attacker sees encrypted gibberish. This is the single most effective defense for public WiFi.
Enable the VPN before connecting to the network, not after. The moment between connection and VPN activation is a window of exposure.
Enable HTTPS-Only Mode
Both Firefox and Chrome offer HTTPS-only mode, which blocks connections to non-HTTPS sites entirely. This prevents SSL stripping and protects against the remaining non-HTTPS sites.
Disable Auto-Connect
- iOS: Settings → WiFi → turn off “Auto-Join” for public networks, or enable “Ask to Join Networks”
- Android: Settings → WiFi → tap the network → turn off “Auto-connect”
- Windows/macOS: Remove saved public WiFi networks after use
This prevents your device from automatically connecting to evil twins that share the SSID of a network you’ve used before.
Prefer Mobile Data
If you’re doing something sensitive — banking, email, anything with credentials — use your phone’s mobile data instead of the coffee shop’s WiFi. Mobile data connections are encrypted between your device and the cell tower, and intercepting them requires significantly more sophisticated (and illegal) equipment than WiFi attacks.
For USB Charging
- Carry your own charger and cable
- Use a wall outlet, not a USB port
- If you must use a public USB port, use a data-blocking USB adapter (USB condom)
Sources & Further Reading
- DEF CON Wall of Sheep — the original public WiFi credential demonstration
- CISA Public WiFi Advisory — federal guidance on public WiFi risks
- MITRE ATT&CK T1557.002 — ARP Cache Poisoning — attack technique documentation
- FBI Juice Jacking Advisory — FBI warning on public USB charging risks
- MITRE ATT&CK: DarkHotel — hotel WiFi targeting by APT groups
- HTTPS Everywhere Project — the push toward universal HTTPS