Public WiFi Security: What Actually Happens When You Connect at Starbucks

Public WiFi Security: What Actually Happens When You Connect at Starbucks

I have connected to coffee shop WiFi hundreds of times. For years, I did it without a second thought — I opened my laptop, clicked the network, got my work done, and moved on. Then I took a network security course where the instructor demonstrated, live in the classroom, how easily he could intercept traffic on an unsecured network. The demonstration was mundane by hacker standards — just traffic sniffing on a local hotspot — but seeing it happen in real time changed how I think about every network I connect to.

The reality of public WiFi security in 2025 is more nuanced than most guides acknowledge. You are not constantly on the verge of being hacked every time you visit Starbucks. Modern HTTPS encryption has genuinely improved the baseline security of everyday browsing. But there are real risks — specific activities, specific attack types — that you should understand before making the call on whether a given action is safe on a given network.

This guide covers what is actually happening when you connect to a public network, the specific attacks that threat actors use in these environments, which activities are high-risk versus low-risk, and the exact tools that provide meaningful protection.

For a complete foundation in personal cybersecurity, visit our cybersecurity resource hub and our guide on mobile security settings.

What Actually Happens When You Connect to Public WiFi

Most people picture "getting hacked on public WiFi" as a sophisticated technical attack. The reality is a spectrum ranging from trivially easy to technically complex, depending on the specific threat.

When you connect to an open, unencrypted WiFi network (no password required, or a shared single password for all users), all your traffic flows through shared infrastructure that anyone on the same network can potentially access with the right tools.

The Network Layer Reality

Open WiFi means the radio transmissions between your device and the access point are not encrypted at the network layer. Any device in radio range running network sniffing software (Wireshark, for example — a freely available, legal tool) can capture these raw packets.

What the sniffer actually sees depends on what layer the traffic is encrypted at:

• HTTPS traffic: The sniffer can see that you connected to accounts.google.com but cannot read your credentials or session content. The TLS encryption at the application layer protects the content.
• HTTP traffic: The sniffer can see everything — URLs, request parameters, form submissions including passwords, cookies, and session tokens.
• DNS queries (unencrypted): Every domain name your device resolves is visible, even when the content of the connection is encrypted. This means someone can see every site you visit, even over HTTPS.
• Encrypted DNS (DoH/DoT): DNS queries are encrypted. The sniffer cannot read your DNS lookups.

Understanding this layer structure is the key to assessing real risk.

Attack Types on Public WiFi

The threat is not monolithic. Different attack types work in different ways and have different levels of difficulty and impact.

Attack Types Comparison Table

My own experience: at a security conference I attended (where everyone was trying to demonstrate exactly these attacks), I used Wireshark to observe the traffic characteristics of my own device on the conference network. Even with all connections going through HTTPS, the DNS metadata picture was surprisingly detailed — effectively a log of every site and service I contacted.

What Activities Are Safe vs. Unsafe on Public WiFi

This is the practical question most guides avoid answering clearly. Let me be direct about the actual risk levels.

Safe vs. Unsafe Activities on Public WiFi

The clearest rule I follow: never enter credentials for banking, work systems, or any account I care about on a public network without first verifying I am connected through a VPN. Checking Twitter or reading an article? The risk is low enough that I sometimes skip it. Logging into my bank? Never without VPN, period.

Protection Tools: What Works and What Does Not

There is a lot of noise in the VPN and security tool market. Here is an honest look at what provides real protection on public WiFi specifically.

Protection Tools Comparison

One tool I want to specifically mention as not a solution: free VPNs from unknown providers. Multiple studies, including a CSIRO analysis of hundreds of Android VPN apps, found that many free VPNs contain malware, inject advertising, sell your browsing data, or provide no meaningful encryption despite claiming to. If you use a free VPN, use ProtonVPN's free tier (which has verified no-logs policies) or Cloudflare's WARP. Avoid random free VPNs from the app store.

How to Identify a Legitimate vs. Malicious Network

The evil twin attack — where an attacker creates a WiFi hotspot with the same or similar name as a legitimate network — is underused but effective. You connect to "Starbucks WiFi" without realizing it is actually "Starbucks_WiFi" run from someone's laptop, and now all your traffic routes through their machine.

Signs you might be on a malicious network:

• You are prompted for more information than expected on the captive portal (email, password, credit card)
• Certificate warnings appear on sites that normally load cleanly
• Connections are unusually slow or intermittent (traffic routing through a second device adds latency)
• The SSID (network name) has subtle differences: extra spaces, underscores, slightly different capitalization

Practical countermeasure: ask a staff member for the exact network name before connecting, rather than guessing from the list of available networks. A coffee shop in a dense urban area may have a dozen similar-named networks visible.

Also: when your VPN is active, an evil twin attack is significantly mitigated — the attacker routes your traffic but everything they see is encrypted through the VPN tunnel.

Building Secure Habits for Life on the Road

I work from coffee shops, airports, and hotel lobbies regularly. Over time, I have built a set of habits that make public network use routine without being anxious about it.

Connect VPN before doing anything sensitive. I open my VPN client before opening email, before logging into anything, and before doing any work. The order matters.

Enable HTTPS-only mode in your browser. Chrome, Firefox, and Safari all have settings to block HTTP connections entirely. This prevents accidental HTTP fallback and catches SSL stripping attempts.

Forget networks after use. Set your device to forget public networks after you disconnect rather than reconnecting automatically. This prevents automatic connection to spoofed networks in the future.

Use a personal hotspot for high-sensitivity work. For tasks involving financial data, confidential client information, or sensitive credentials, I use my phone's hotspot instead of public WiFi. It costs a small amount of cellular data but removes the shared network risk entirely.

For more on building comprehensive personal security habits, explore our tech career resources and download our free cybersecurity reference notes.

Frequently Asked Questions

Can someone see what I am doing on public WiFi?

Partially. On HTTPS connections, attackers can see which domains you connect to but not the content. On HTTP, everything is readable. DNS queries reveal every site you visit unless you use encrypted DNS. A VPN encrypts all of this including metadata.

Is public WiFi ever safe to use without a VPN?

For low-risk activities like browsing HTTPS news sites or using end-to-end encrypted apps, yes. For logging into accounts, financial activities, or work systems, the risk is meaningfully elevated without a VPN — especially if you cannot verify the network is legitimate.

What is a man-in-the-middle attack and how does it work on WiFi?

An attacker positions their device between yours and the network, intercepting and potentially modifying traffic. On WiFi this typically involves a rogue access point or ARP poisoning. HTTPS encrypts content against MITM, but SSL stripping can downgrade some connections. A VPN prevents MITM entirely.

Does HTTPS protect me on public WiFi?

HTTPS protects the content of connections from being read. It does not hide which websites you visit, does not protect against rogue HTTPS certificates in sophisticated attacks, and does not encrypt DNS queries. For most practical public WiFi threats, HTTPS provides strong protection for content. A VPN adds metadata and DNS protection.

What is the safest way to use public WiFi for work?

Connect to a trusted VPN first. Access corporate systems only through encrypted, VPN-protected connections. Avoid highly sensitive data operations on public networks when possible. Use your phone's personal hotspot for the most sensitive work. Follow your employer's IT security policy — most corporate policies require VPN on any non-corporate network.

Conclusion

Public WiFi in 2025 is safer than it was five years ago, primarily because HTTPS adoption has become near-universal for major services. But "safer" is not the same as "safe," and the metadata exposure, DNS leakage, and evil twin attack vectors remain real and practical threats that require deliberate countermeasures.

The good news: protection is not complicated or expensive. A reputable VPN, encrypted DNS, HTTPS-only browser mode, and the habit of connecting to VPN before doing sensitive work covers the vast majority of practical risk on public networks. The whole setup costs less than a few coffees a month.

Connect to VPN first. Browse freely. That is the practical answer.

External resources:

• NIST Guidelines on Protecting Sensitive Information on Open Networks — authoritative federal guidance
• EFF's HTTPS Everywhere project — background on HTTPS adoption and browser-level HTTPS enforcement