Posted in

Public Wi-Fi isn't as dangerous as VPN ads want you to believe

The topic Public Wi-Fi isn’t as dangerous as VPN ads want you to believe is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.

This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.

Years of conditioning have made us wary of exposing our phones and laptops to public Wi-Fi networks in airports, cafés, and hotels, and VPN companies have further propagated that view. They still like to exaggerate the dangers of public Wi-Fi to scare people into buying multi-year subscriptions to their services. While VPNs are still useful for hiding your IP address and bypassing geographic restrictions, their effectiveness against security threats has gone down considerably. Public Wi-Fi networks have changed a lot in the last few years, adopting relatively modern security safeguards. WPA3 encryption, near-universal HTTPS implementation, and built-in security measures on modern devices have erased much of the risk associated with public Wi-Fi. As long as you’re not hunting for websites with outdated security or using a dated device that can’t protect your traffic, your public Wi-Fi usage is pretty safe.

Many consumers are lured by marketing claims that a VPN will make them “completely anonymous.”

The single biggest security measure protecting your browsing against snooping is HTTPS, an encrypted version of the plaintext HTTP protocol. You must have seen nearly every website using HTTPS these days. The shift from HTTP to HTTPS happened nearly a decade ago, so encountering any website still using HTTP is extremely unlikely. HTTPS encrypts the data between your device and the server and vice versa, rendering it unreadable to anyone eavesdropping on the network. Today, your browser will alert you if a site you’re about to visit is “unsecured” or your connection is not “private.” That almost always means the site is using HTTP, which gives you the choice to continue or not, knowing the risks.

The other aspect of HTTPS is authenticating your connection to the website, so you know that you’re not accidentally landing on an impostor website. This is achieved through SSL/TLS certificates, and if the site’s certificate is invalid or outdated, your browser will alert you of the same. This single change has mostly eliminated the risk of threat actors seeing your data on public Wi-Fi networks. So, you don’t need a VPN to prevent Man-in-the-Middle (MitM), packet sniffing, tampering, and session hijacking attacks anymore.

Discover this game-changing travel hack that keeps your devices secure on any network

Public Wi-Fi networks becoming secure is just one side of the story. Even the smartphones, laptops, and tablets you are using come with modern, built-in protection against security attacks. Whether you’re using Android, iOS, Windows, Mac, or something else, your operating system is doing far more work in the background than it did a decade ago. When you connect to a new network, your OS asks you to designate the network “Public” or “Private.” When you choose the former, your device disables file-sharing features, so others on the network can’t access the data on your storage drive. Built-in firewalls filter all the traffic passing through your device, blocking unsolicited connections from other devices on the same network.

Then, you also have the option of encrypting your DNS queries by enabling “DNS over HTTPS” in your OS settings, so attackers can’t even know which websites you’re visiting. Today, if the public Wi-Fi network you’re using is password-protected, then the WPA2/WPA3 encryption keeps your browsing mostly safe. WPA2 might be more susceptible to security compromises, but WPA3 has become more common in recent years.

Running a local DNS server is great – until your devices ignore it

No Wi-Fi connection is 100% secure, but you can ensure relatively safe browsing by following certain best practices. Avoiding websites your browser warns you about, keeping your devices updated, and avoiding banking and other sensitive transactions on public Wi-Fi are things I would recommend. Your outdated devices might not be receiving security updates anymore, so they’re generally more prone to attacks in the wild. Websites with expired or missing security certificates should be avoided if you want to be 100% safe.

Connecting to open Wi-Fi networks, i.e., without password protection, is one area where a VPN can genuinely help. It can encrypt all your traffic on the unsecured Wi-Fi network, so you have a shield against strangers trying to sniff out your data. Unsecured public Wi-Fi is becoming increasingly rare, so the scenarios where using a VPN becomes non-negotiable are also going down in number. If your VPN helps you watch content that’s unavailable in your region or protects your online identity, then it’s worth it. However, don’t buy one to prevent security attacks that the modern web and newer devices already protect you from.

Thanks to the modern avatar of the web, your online traffic is pretty secure even on public networks. With HTTPS certificates, WPA3 encryption, and built-in protection on modern devices, you don’t really need a VPN to prevent common security attacks on public Wi-Fi. A VPN can increase your device’s security on unsecured Wi-Fi networks, but even these are becoming pretty rare. VPNs have their role on the modern web, but you should know exactly why you’re buying one.