The Hollywood Myth (and Why It's Outdated)
The classic warning goes: "someone on the same Wi-Fi could be reading everything you type." That was true in 2012. It's mostly not true now.
The reason is a quiet revolution called HTTPS Everywhere. Almost every major website, app, and banking service today encrypts its traffic between your device and their server. Even if a hacker sat next to you in the airport lounge running a packet sniffer, they would see encrypted gibberish — not your password, not your messages, not your card number.
So why are people still telling you to be careful? Because the specific risks shifted, but they didn't disappear.
What HTTPS Actually Protects
- Your password as you type it on a login page
- Your messages in apps like WhatsApp, Signal, iMessage
- Your banking transactions on properly built apps
- Your search queries on Google, DuckDuckGo, etc.
- Your shopping cart and credit card on legitimate sites
For 95% of normal browsing, HTTPS does the heavy lifting. A coffee shop hacker can't pluck your Gmail password out of the air.
What HTTPS Doesn't Protect
Here's where the real risks live — and why the "use a VPN" advice hasn't gone away.
DNS Hijacking MEDIUM
When you type "bank.com," your device asks the network's DNS server for the right address. On open Wi-Fi, that DNS server belongs to whoever runs the network — and a malicious operator can quietly redirect you to a fake site. HTTPS will catch most of these (you'll see a certificate warning), but tired travelers click through warnings. VPNs route DNS through their own servers, bypassing the local network entirely.
Evil Twin Networks HIGH
A laptop in the airport advertises a Wi-Fi network called "Free_Airport_WiFi_5G" — looks legit, no password, fast. Except it's not the airport's. It's someone's laptop. Once you connect, they can serve you fake login pages, push fake update prompts, and route your traffic through their tools. HTTPS still protects the basics, but the user-experience signals (familiar names, no password) make these attacks effective.
Captive Portal Injection MEDIUM
Hotel and airport portals — the "Accept terms to continue" page — sit between you and the open internet. They're designed to inject HTML into your browser. Most do it for legitimate reasons. Some hotels insert ads into non-HTTPS pages. Bad actors who take over a portal can do worse. A VPN tunnels through the portal once you accept it.
Outdated Apps Leaking MEDIUM
Not every app on your phone uses HTTPS perfectly. Older apps, small developers' apps, and certain region-specific apps still send data in cleartext or use broken encryption. You don't know which ones until something leaks. A VPN encrypts everything leaving your device — even from the careless app you forgot you installed three years ago.
Geo-Restrictions & Banking Lockouts LOW (annoying, not dangerous)
This isn't a security threat, but it's the most common reason travelers actually need a VPN. Your bank app refuses to log in from Bangkok. Your streaming subscription locks you out in Tokyo. Government sites for tax filing only work from your home country. Connecting through a VPN server in your home country fixes all of this.
So When Does a VPN Actually Help?
Cutting through the marketing: a VPN gives you four things that matter for travel.
- Encrypts every app, not just well-built websites
- Routes DNS through trusted servers, not the hotel's
- Hides which sites you're visiting from the network operator
- Makes you appear in your home country for banking, streaming, government services
Items 1-3 are the security side. Item 4 is the practical side — and it's the one most travelers feel within the first 48 hours abroad.
NordVPN — what we use ourselves
We've tried four major VPN services over the years. NordVPN is the one we kept renewing — not because it's the cheapest, but because it consistently does the boring things well: it stays connected on flaky airport Wi-Fi, it has a server in basically every country we've needed, and the "auto-connect on untrusted networks" feature is genuinely set-and-forget.
One subscription covers up to 10 devices, so your phone, laptop, tablet, and partner's phone are all in. There's a 30-day refund window if it doesn't fit your travel pattern.
Check NordVPN pricingAffiliate link — we may earn a small commission at no cost to you. We only recommend it because we use it ourselves.
Habits That Help More Than Any VPN
A VPN is one tool. These habits matter just as much.
- Turn off auto-connect to known networks. Your phone automatically rejoining "Hotel_Free_Wifi" is how evil-twin attacks work — name a network the same and you're in.
- Update your phone before you fly. OS-level patches close the bugs that public Wi-Fi attackers actually exploit. The week before a trip is the right time, not the day you arrive jet-lagged.
- Use mobile data for sensitive things when possible. A travel eSIM gives you home-country-style cellular for a few dollars. Banking, government sites, and 2FA logins go on cellular; everything else can ride Wi-Fi.
- Enable 2FA on the accounts that matter — email, banking, social accounts. Even if a password gets captured, 2FA stops the actual takeover.
One more travel-tech tip
TraceGo is our other tool — an iOS GPS simulator that lets you preview how location-aware apps behave at your destination before you fly. Useful when you want to know whether your favorite navigation, food, or transit app handles a new city gracefully — without booking the trip first.
The Honest Bottom Line
Public Wi-Fi in 2026 isn't the wild west it was a decade ago. HTTPS handles a lot of the worst-case scenarios automatically, and most travelers will never personally encounter an evil-twin network. But the tools that close the remaining gaps cost a few dollars a month, work invisibly, and remove an entire category of "did I just leak something?" anxiety from a trip. That trade-off is why most experienced travelers we know just leave a VPN running and stop thinking about it.