Connecting to public Wi-Fi networks - threat or scare?
Never connect to public Wi-Fi without a VPN! Avoid carrying out banking transactions on public networks – especially at airports! Hackers can steal your login credentials or spy on your communication! But is it really that bad?
You've almost certainly come across these warnings – or some version of them – in dozens of articles that pop up online every year as the holiday season approaches. But is it truly the case that if a hacker sets up a fake Wi-Fi network, they can see everything you do online and even steal your banking or login details? This article aims to set the record straight.
We'll examine the three most common myths surrounding public Wi-Fi and reveal what’s actually true. And as a bonus, we’ve tested what a hacker can really see when you connect to a fake Wi-Fi network.
Myth 1
Hackers can see everything you do on public Wi-Fi.
Reality: If you’re on a legitimate website that uses the HTTPS protocol (you'll recognise it from “https://” in the address bar or a message saying “Connection is secure” when you click the padlock icon), your communication with the server is encrypted – meaning the hacker can’t see the page content, text, passwords or any data you enter. However, it can still see some information ‘from the outside’, such as:
- The domain you're visiting (e.g. google.com)
- When and how much data you send and receive
- Some technical information about your device
But they cannot see:
- The content of the visited page (text, images, forms)
- Passwords and personal data from forms
- Messages, login tokens, and so on
Most Czech websites use HTTPS these days, so you rarely come across unsecured ones. Abroad, however, you may still find unencrypted websites. That’s why it’s wise to stay alert when travelling and pay attention to the websites you’re visiting.
Summary: If you’re visiting a legitimate HTTPS site, your communication is encrypted. This means a hacker can’t see the contents, passwords, or personal information you enter. They may, however, see some basic metadata such as the domain name and limited device info. In the Czech Republic, HTTPS is generally standard, but this may not be the case elsewhere.
Myth 2
Never perform financial transactions over public Wi-Fi – a hacker can easily redirect you to a fake site.
Reality: First, most people carry out banking through their bank’s official app. These apps are designed to be secure even over unprotected public networks, such as café or airport Wi-Fi. They use strong encryption to protect your data in transit and often include additional security layers like user verification and certificate checks. This applies only if you're using an official banking app downloaded from a trusted source (Google Play, App Store) and keep your device regularly updated – updates often patch security vulnerabilities.
Second, the same principles apply when using a secure browser to access internet banking or other HTTPS sites.
You may have come across articles claiming that even if you enter the correct address of a website, an attacker on a public Wi-Fi network can redirect you to a fake site and find out all the information you enter there. But in reality, it's not that simple for the attacker.Here's an example of what that might look like.
Example
- You connect to a hacker's Wi-Fi and type “amazon.com” into your browser
- The hacker tries to redirect you to “amaz0n.com” (with a zero instead of an “o”)
- If the site uses HTTPS, your browser will check whether the certificate matches the domain. If it doesn’t, you'll see a warning like “Your connection is not private”
- Do not ignore this warning or click “Proceed to amazon.com.” You’ll be entering a phishing site. Disconnect from the Wi-Fi – the attacker controls it and is trying to steal your login or credit card data
⚠️ A different situation arises if you yourself mistype the address or click a phishing link in an email or SMS – for example, “amaz0n.com” instead of “amazon.com.” That domain could be registered by an attacker, have a valid HTTPS certificate, and visually mimic the original. In that case, the browser won’t warn you – everything looks legitimate on the surface. You’ll learn more about how to recognise such attacks in our Cyber Compass course.
Summary: If you use internet banking via a web browser and visit HTTPS-secured sites, the browser protects you from being redirected to fake servers by displaying a warning if there are problems with the certificate. However, the greatest risk is when a user visits a fake address themselves - for example, by clicking on a phishing link in an email or SMS, or when they access a site without HTTPS security (HTTP only). Therefore, it is always important to check the entire address in the browser carefully, not just the lock icon. You can learn more about how to protect yourself from phishing attacks in our Cyber Compass course in the Phishing module.
Myth 3
A VPN is the only way to stay safe on public Wi-Fi.
Reality: A VPN is a great tool, but it’s not the only way to protect yourself. A VPN encrypts all data traffic between your device and the VPN server, preventing hackers on the same Wi-Fi from seeing not just your content, but even metadata like the sites you visit, when, and how much data is transferred. This is especially useful for browsing unsecured (HTTP) websites.
A VPN also protects you against DNS attacks (e.g. DNS spoofing). Instead of your phone or computer sending queries to web addresses over a local network that an attacker can control, it sends them over a VPN server over a secure connection. This makes it impossible for an attacker to redirect you to a fake site by changing the DNS response.
But even without a VPN, you can stay safe by:
- Visiting HTTPS websites, which encrypt the communication between you and the server – so a hacker can’t see what you're doing or entering. (Note: this applies only to legitimate sites – phishing sites can also use HTTPS, as shown in Myth 2.)
- Keeping your operating system, browser and apps updated – updates fix vulnerabilities that attackers could exploit
- Being cautious – check what you’re clicking and always verify URLs. Make sure you're really on “facebook.com” and not a fake like “facepook.com”
- Using official apps – e.g. banking apps are designed to function securely even without a VPN
And if you’d like to use a VPN, Masaryk University offers one for free to students and employees. You can easily set it up using the guide here: https://it.muni.cz/en/services/eduvpn
Summary: A VPN is a strong security tool, particularly for HTTP sites and DNS protection. HTTPS connections already provide strong protection, and using official encrypted apps is safe even on public networks. But it won't protect you if you click on a phishing link in an email or SMS. For more on secure internet communication, check out the Secure Connection module in our Cyber Compass course.
What else should you watch out for?
Beware of fake Wi-Fi login pages (so-called captive portals)
When connecting to public Wi-Fi, a login page often appears where you need to accept the terms of use. This mechanism is called a captive portal. However, an attacker can create a fake portal that pretends to be an official page (e.g., Starbucks, Facebook, or the Wi-Fi provider) but is actually used to collect data or spread malicious code.
How to protect yourself:
- Never enter passwords for your personal accounts (such as Google, Facebook, or other online services) on pages that open automatically after connecting to Wi-Fi. Legitimate public network login portals may sometimes request your email address or agreement to terms, but they will never ask you to log into your personal accounts
- Check the address in your browser – if you see a suspicious or shortened domain (e.g., freewifi-login.com, go0gle-login.net), it’s better not to use that Wi-Fi
- Do not install any “required plugins” or applications suggested by the captive portal. No regular Wi-Fi requires you to download software
- Be cautious – if the captive portal looks different than usual, it’s best to disconnect from the Wi-Fi immediately
Final word
Public Wi-Fi networks aren’t automatically dangerous – but risks rise if you ignore browser warnings or miss key security signals. Many of the threats associated with public Wi-Fi are based on real attack methods – but are often exaggerated. Today’s devices, apps and browsers include numerous security features. VPNs are a great additional layer of protection, but far from the only one. Visiting HTTPS websites is highly protective – and no VPN can shield you from your own inattention (like falling for a phishing scam).
If you'd like to learn more about cybersecurity, take one of our courses, sign up for training, or explore more of our articles.
Bonus for the Curious: The Difference Between HTTP and HTTPS
As an experiment, we set up our own Wi-Fi network and connected to it. At the same time we created a web page with a registration form - first without a certificate (i.e. over HTTP), and later we installed a certificate on the page so that it worked over HTTPS. Using a network traffic monitoring and analysis tool, we tracked the data transmitted between our device and the internet. See below in the drop down boxes to see what it looked like.
HTTP
When we visited the unsecured HTTP page at nocvedcu.csirt.muni.cz, the browser showed a crossed-out padlock. Clicking it revealed a warning that the connection was not secure.
We filled in and submitted the registration form. What could the network administrator (or potential attacker) see? A lot! They could see not only the visited site but also all data entered – name, password, email address, date and time of submission. They also saw technical info like browser type and version, operating system, and other details from the User-Agent header.
HTTPS
We then secured the site with a certificate so it worked over HTTPS. We filled out the same form and submitted it again.
What could the administrator see now? Almost nothing! The communication was encrypted, and instead of readable data, they saw a meaningless string of characters that couldn’t be deciphered. The only visible information was the device’s IP address and the domain visited.