The Actual Risks on Public WiFi
The main risks on public WiFi are man-in-the-middle (MITM) attacks, where someone intercepts traffic between your device and the network, and evil twin attacks, where a malicious hotspot mimics a legitimate one. HTTP traffic is readable to anyone on the same network. HTTPS traffic is encrypted end-to-end, so even on a compromised network, HTTPS content is protected. The risk landscape has narrowed significantly as HTTPS adoption has become near-universal.
What a VPN Protects Against
A VPN encrypts all your traffic before it leaves your device, tunneling it through the VPN server. This means even if someone intercepts your traffic on a public network, they see only encrypted data. Your DNS queries, which websites you visit, and any unencrypted traffic are all protected inside the VPN tunnel.
What a VPN Does Not Protect Against
A VPN does not protect against malware already on your device. It does not prevent phishing attacks. It does not protect against vulnerabilities in the VPN application itself. For comprehensive public WiFi security, combine a VPN with HTTPS awareness and keeping your operating system patched.
Practical Recommendations
Enable the VPN before connecting to any public network. Use a VPN with automatic activation when connecting to untrusted networks. ExpressVPN, NordVPN, and Mullvad all offer this feature. At minimum, avoid logging into financial or medical accounts on public WiFi without a VPN, even if those sites use HTTPS.