Public Wi-Fi safety — mlab Academy

Q: Is HTTPS enough to protect me on public Wi-Fi?

Mostly for content, but not against fake captive portals, DNS hijacking or metadata. Combine HTTPS with a VPN.

Q: Should I do online banking on hotel Wi-Fi?

Prefer a phone hotspot or a VPN, otherwise wait for a trusted connection.

Q: Are password-protected hotel networks safer?

Slightly, but shared passwords mean other users can still sniff you.

1The real risks of public Wi-Fi

Coffee shops, airports, hotels: public Wi-Fi networks are convenient but they share two properties that make them risky. Anyone can join, and you often cannot tell the real network from a malicious clone set up by an attacker two tables away. The danger is not what most people imagine — HTTPS now protects 95%+ of browsing — but more subtle tricks still work: fake captive portals, DNS hijacking, and the classic evil twin that mimics the real SSID.

2Main attack techniques

Evil twin

The attacker sets up an access point with the same SSID as the café. Your phone auto-connects to whichever signal is stronger — theirs.

Fake captive portal

A convincing login page asks for your email, hotel room number, or credit card "to access the Wi-Fi".

DNS hijack

The router's DNS is tampered with, sending bankofexample.com to a look-alike phishing server.

Passive sniffing

On open networks, metadata (DNS queries, SNI hostnames) is still visible — enough to profile you.

Verify a suspicious domain on mlab.sh

Not sure that portal URL is real? Run it through the mlab.sh domain scanner before typing any credentials.

Scan a domain on mlab.sh

3How to stay safe

Prefer your phone's hotspot

4G/5G tethering is almost always safer than a random café network.

Use a reputable VPN

A VPN tunnels all traffic through an encrypted link, neutralising evil-twin sniffing and DNS hijacking.

Disable auto-join for open networks

Stops your phone from silently connecting to Free-Airport-WiFi every time it sees the name.

Check the HTTPS padlock and domain

If your bank suddenly triggers a certificate warning on public Wi-Fi, stop immediately.

Never enter credit card details on a captive portal

A real hotel or airport Wi-Fi either asks for a room number or is free. Asking for a card on the portal itself is a scam.

Public Wi-Fi FAQ

Is HTTPS enough to protect me on public Wi-Fi?

Mostly yes for the content of your traffic, but not against fake captive portals, DNS hijacking or metadata leakage. Combine HTTPS with a VPN for sensitive tasks.

Should I do online banking on hotel Wi-Fi?

If you must, use your phone's hotspot or a VPN first. Otherwise defer to a trusted connection.

Are password-protected hotel networks safer?

Slightly — but if everyone has the same password, anyone on the network can still sniff you.

Related Modules

What is 2FA / MFA?

Two-factor authentication (2FA) and multi-factor authentication (MFA): why a password alone is not enough.

Password security best practices

Strong passwords, password managers, passphrases: how to build a password strategy that actually works.

What is DNS?

The Internet's phone book: how DNS translates domain names into IP addresses.