How to Stay Private on Public Wi-Fi (And Why Most People Don't)
Public Wi-Fi is everywhere: airports, hotels, coffee shops, libraries. It's convenient, it's free, and it's one of the easiest ways for someone to intercept your data. Most users connect without a second thought. That's a mistake.
This guide covers what actually happens on a public network, what's at risk, and the concrete steps you should take every time you connect to one you don't control.
What Makes Public Wi-Fi Dangerous
When you connect to a public access point, you're sharing a network with every other device on it. Unlike your home router, where you control who's connected, a café network might have dozens of strangers on it at any given moment.
The two most common attacks on public networks are:
Man-in-the-Middle (MITM) Attacks An attacker positions themselves between your device and the router. Traffic flows through them before reaching its destination. If that traffic isn't encrypted, they can read it in plaintext: login forms, session cookies, API calls.
Evil Twin Access Points A malicious actor broadcasts a Wi-Fi network with a convincing name, like "Starbucks_Guest" or "AirportFreeWiFi", and waits for devices to connect. Your phone may do this automatically if it matches a previously saved network name. Once you're on their network, they control the connection entirely.
These aren't theoretical. They're practical attacks that require minimal equipment and are well-documented in penetration testing literature.
What HTTPS Protects (and What It Doesn't)
A common misconception is that HTTPS makes public Wi-Fi safe. It helps, but it doesn't solve the problem.
HTTPS encrypts the content of your communication with a website. An attacker on the same network can still see:
- Which domains you're connecting to (via DNS queries and SNI headers)
- How much data you're transferring and when
- Metadata that can reveal browsing patterns
Additionally, not every app or service you use enforces HTTPS consistently. Some mobile apps transmit data over plain HTTP. Some older services use weak TLS configurations. You're trusting every piece of software on your device to implement encryption correctly, and that's a lot of trust.
The Right Way to Use Public Wi-Fi
1. Use a VPN, Every Time
A VPN creates an encrypted tunnel between your device and a remote server. All of your traffic routes through that tunnel before reaching the internet. From the perspective of anyone on the local network (other users, the access point operator, a passive observer), they see only encrypted traffic going to a single endpoint.
Not all VPNs are equal. Key factors:
- Dedicated infrastructure matters. Shared VPN servers mean your traffic is co-mingled with thousands of other users, creating both performance and privacy tradeoffs. A dedicated server means your tunnel is yours alone.
- Protocol matters. WireGuard is the current standard for performance and cryptographic soundness. Avoid VPNs still relying on PPTP or L2TP without IPsec.
- No-log policy matters. If your VPN provider keeps connection logs, those logs can be subpoenaed or leaked. Understand what your provider retains.
Enable your VPN before connecting to any public network. Don't browse first and connect to the VPN second. The window between connection and VPN activation is a real exposure window.
2. Disable Auto-Connect for Unknown Networks
Every major operating system allows you to manage saved networks. Remove public networks from your saved list after you're done using them. Better yet, disable auto-join on any network you don't fully trust.
On most platforms: - iOS/macOS: Navigate to the network settings and disable "Auto-Join" - Windows: Go to Network & Internet → Wi-Fi → Manage Known Networks, and remove public entries - Android: Long-press the network and select "Forget"
This eliminates the evil twin attack vector for previously visited locations.
3. Use DNS over HTTPS (DoH) or DNS over TLS (DoT)
Even with HTTPS, your DNS queries can leak information about where you're browsing. Standard DNS is unencrypted and easily read by anyone monitoring local traffic.
DoH and DoT encrypt your DNS queries. Most modern browsers support DoH natively, so enable it in your browser's privacy settings. At the OS level, both Windows 11 and recent versions of macOS support encrypted DNS resolvers.
If you're using a quality VPN, your DNS queries are routed through the encrypted tunnel and resolved on the far end, so they never appear in plaintext on the local network at all.
This closes the DNS-leak gap automatically, without you having to configure DoH or DoT yourself. Verify it's working with a leak test at a site like dnsleaktest.com.
4. Keep Your Firewall Active
Public networks warrant stricter firewall rules than your home network. On Windows, ensure the network is classified as "Public" rather than "Private"; this automatically applies more restrictive inbound rules. On macOS, confirm the application firewall is enabled under System Settings → Network → Firewall.
A firewall won't stop outbound traffic interception, but it will block unsolicited inbound connections from other devices on the network attempting to probe your machine.
5. Minimize What You Do on Public Wi-Fi
Even with the precautions above, consider the sensitivity of what you're doing. Logging into your bank, accessing business systems, or handling sensitive communications on an airport network is a higher-stakes activity than reading the news.
If you need to do something sensitive, ask yourself whether it can wait until you're on a trusted network, or use your phone's cellular data as a hotspot instead.
A Note on Mobile Hotspots
Your phone's cellular connection is significantly more private than public Wi-Fi. It's harder to intercept, doesn't expose you to other users on the same segment, and isn't controlled by a third party whose security practices you can't verify.
If your data plan allows it, tethering to your phone for sensitive tasks is often the simpler and more secure choice compared to joining a public access point at all.
Summary
| Threat | Mitigation |
|---|---|
| Traffic interception (MITM) | VPN with encrypted tunnel |
| Evil twin access points | Disable auto-join, manual network selection |
| DNS leaks | DoH/DoT or VPN with leak protection |
| Inbound probing from other users | Firewall on Public network profile |
| Persistent exposure from saved networks | Remove public networks after use |
Public Wi-Fi isn't something to avoid entirely. It's something to use correctly. With a reliable VPN active, encrypted DNS, and a few configuration changes on your devices, you can use public networks without handing your traffic to whoever happens to be nearby.
NorexVPN provides dedicated WireGuard servers, one per customer, with no shared infrastructure. Start your free trial.