Is hotel Wi-Fi safe in 2026?

Safer than it was, because HTTPS now covers almost everything. The real risks today are metadata collection by the property's network provider, captive portal manipulation, and DNS visibility. A VPN with DNS protection neutralizes all three.

Do I really need a VPN if every site uses HTTPS?

HTTPS protects content but not metadata. A VPN hides DNS lookups, your device's IP, traffic timing patterns, and which services you use. If you don't want the network operator or anyone snooping on the radio to know which sites you visit, a VPN is the right tool.

Can hotel Wi-Fi see my passwords?

If you log in over HTTPS — which every modern site uses — no. The login form is encrypted end to end with the server. The only modern way for hotel Wi-Fi to capture a password is to convince you to ignore a certificate warning, which any reasonable browser makes extremely scary on purpose.

Is it safer to use the hotel's Ethernet jack instead of Wi-Fi?

Slightly. You're no longer broadcasting your traffic on the radio, so evil-twin and passive sniffing risks drop. But all the other threats — DNS visibility, captive portals, metadata collection by the property's provider — remain identical. Use a VPN over either.

Public Wi-Fi Security: Practical Guide for 2026

Public Wi-Fi is safer than it used to be — almost every site now uses HTTPS, which encrypts your traffic in transit. But "safer" is not "safe." Captive portals, evil twin networks, and DNS tricks still expose you. This is the practical guide: what's actually at risk on hotel and café Wi-Fi in 2026, and the moves that genuinely protect you.

What HTTPS already does for you

When you load any site that shows the padlock icon, your browser establishes a TLS tunnel directly with that server. Everything inside — your password, the page contents, cookies — is encrypted. The Wi-Fi access point, the ISP serving the café, and anyone snooping on the radio between you can see which server you're talking to, but not what you're sending or receiving.

This covers maybe 95% of the historical risk of public Wi-Fi. The classic "Firesheep" attack of 2010 — sniffing unencrypted Facebook session cookies out of the air — doesn't work on modern sites.

What HTTPS does not protect against

DNS visibility

Even with HTTPS, your DNS lookups happen first and are usually unencrypted. The café Wi-Fi sees that you looked up mybank.com, even if it can't see anything inside the connection.

Captive portal injection

Captive portals (the "Accept the terms to use this Wi-Fi" page) work by intercepting early HTTP requests. They can also inject scripts or redirect non-HTTPS traffic. Some hotel networks have been caught injecting ads into HTTP responses long after you've signed in.

Evil twin networks

Anyone with a $20 device can broadcast an SSID called "Free Airport Wi-Fi" or copy the exact name of a legitimate hotspot. If your device joins it, every connection now goes through their hardware. HTTPS still protects content, but they see all your DNS and metadata, and they can intercept any service that doesn't strictly require certificate pinning.

SSL stripping on legacy sites

A small number of sites still load over plain HTTP and only redirect to HTTPS on form submit. An attacker on the same network can intercept that initial request and keep you on HTTP forever. HSTS preload lists shut this down for major sites but not every site is on them.

The realistic threat ranking

Most likely: The network operator collects metadata — which domains you visit, how long, from what device. Used for analytics, often sold to data brokers.
Moderately likely: Captive portal injects something. Sometimes ads, rarely malware.
Uncommon but real: Evil twin / SSID spoofing in a fixed location like a conference or airport.
Rare: Active person-in-the-middle attack on a specific user. Requires proximity and a target.

What actually protects you

Use a VPN. Once the tunnel is up, all your DNS, all your IP-level traffic, and all your metadata go through the VPN. The Wi-Fi sees encrypted traffic to one server and nothing else.
Enable DNS-over-HTTPS or DNS-over-TLS in your OS. Even without a VPN, this hides your DNS lookups from the local network. macOS, iOS, Windows 11, and Android all support it.
Disable auto-join for open networks. Most modern OSes have a setting that stops your phone from silently joining any open SSID with a familiar name.
Use HSTS-aware browsers. Chrome, Firefox, Safari, and Edge all enforce HTTPS for major sites via preload. Don't click through certificate warnings.
Run a leak test after connecting. Confirm your VPN is actually working with our VPN leak test and DNS leak test.

Mobile hotspot vs public Wi-Fi

If your data plan allows it, tethering from your phone is almost always more private than public Wi-Fi. Mobile carriers also collect metadata, but the threat surface is much smaller — no evil twin, no captive portal, no shared subnet with other guests. For sensitive work like accessing email or banking from a café, hotspot first, public Wi-Fi second.

Frequently asked questions

Is hotel Wi-Fi safe in 2026?: Safer than it was, because HTTPS now covers almost everything. The real risks today are metadata collection by the property's network provider, captive portal manipulation, and DNS visibility. A VPN with DNS protection neutralizes all three.
Do I really need a VPN if every site uses HTTPS?: HTTPS protects content but not metadata. A VPN hides DNS lookups, your device's IP, traffic timing patterns, and which services you use. If you don't want the network operator or anyone snooping on the radio to know which sites you visit, a VPN is the right tool.
Can hotel Wi-Fi see my passwords?: If you log in over HTTPS — which every modern site uses — no. The login form is encrypted end to end with the server. The only modern way for hotel Wi-Fi to capture a password is to convince you to ignore a certificate warning, which any reasonable browser makes extremely scary on purpose.
Is it safer to use the hotel's Ethernet jack instead of Wi-Fi?: Slightly. You're no longer broadcasting your traffic on the radio, so evil-twin and passive sniffing risks drop. But all the other threats — DNS visibility, captive portals, metadata collection by the property's provider — remain identical. Use a VPN over either.