I sat in a coffee shop with my laptop, connected to their public Wi-Fi, and deliberately didn't use any security precautions. No VPN. No special browser settings. Just me and the open network.
On another laptop across the room, I ran network monitoring tools to see what could be intercepted.
What I saw in the next thirty minutes changed how I think about public Wi-Fi forever.
The Experiment
Let me be clear: I did this in a controlled way on my own devices to understand the actual risks. I didn't intercept anyone else's traffic. That would be illegal and unethical.
But I wanted to know: what can someone really see when you use public Wi-Fi without protection?
The answer? A lot more than I expected.
I connected my "victim" laptop to the coffee shop's free Wi-Fi. Then I did normal things: checked email, browsed news sites, searched for restaurants, logged into a shopping site.
My "attacker" laptop, running freely available network analysis software, watched everything flowing across the network.
The results were eye-opening and disturbing.
What Was Visible Immediately
Within seconds of connecting, my device announced itself to everyone on the network. Its name, operating system, manufacturer. Not sensitive information exactly, but the start of a profile.
Every website I visited created DNS queries that were completely visible. DNS is like the phone book of the internet, translating website names into addresses. These queries aren't encrypted on most networks.
So even though I might be visiting encrypted websites, the DNS queries revealed which sites I was accessing. News sites. Social media. Online shopping. Everything. A complete log of my browsing activity, just from DNS queries.
Then there were the unencrypted sites. You'd think most sites use encryption now, right? They mostly do. But not all. And when they don't, everything is visible.
I visited one local news site that wasn't using HTTPS. Every page I viewed, every article I read, every link I clicked, completely visible to anyone monitoring the network.
The Cookie Problem
Here's something I didn't fully appreciate until this experiment: cookies.
Even when visiting encrypted sites, some information leaks through cookies transmitted over unencrypted connections or during redirects. Session cookies, tracking cookies, authentication tokens sometimes.
I watched my own browser send cookies that could potentially be captured and used for session hijacking. That's where an attacker steals your session cookie and uses it to impersonate you on a website without needing your password.
On my monitoring laptop, I could see these cookies in plaintext for certain sites. With a bit of technical knowledge, someone could copy those cookies and potentially access my accounts.
I tested this by capturing one of my own session cookies and using it in another browser. It worked. I was logged in without entering credentials. If I could do this to myself, someone else could do it to me. This is why using unique passwords for every account is critical—if one session is compromised, others remain safe.
The Email Situation
Email protocols can be especially vulnerable on public networks.
I checked email through a web interface using HTTPS, which was reasonably secure. But I also tested an email client configured to use older protocols.
The result? My monitoring tools could see email server communications, potentially including credentials and message headers. Not the full content of encrypted messages, but metadata about who I was emailing and when.
For anyone using outdated email configurations or apps that don't enforce encryption, this is a serious vulnerability. Your emails could be intercepted on public networks.
The Real Attack Scenarios
What I tested was passive monitoring, just watching traffic go by. But actual attackers use more sophisticated techniques.
Man-in-the-middle attacks are frighteningly easy on public Wi-Fi. An attacker positions themselves between you and the websites you're visiting, intercepting and potentially modifying traffic.
They can present fake SSL certificates, hoping you'll click through the warning. They can inject ads or malware into unencrypted web pages. They can redirect you to fake login pages that look identical to real ones—essentially combining network attacks with phishing techniques for devastating effect.
I tested a basic man-in-the-middle setup on my own connection. It took less than five minutes to configure, using free tools, with no advanced technical knowledge. I could see everything, including some data I thought was encrypted.
Evil twin attacks are even simpler. An attacker creates a fake Wi-Fi network with a legitimate-sounding name. "Coffee Shop Guest WiFi" instead of "Coffee Shop WiFi." People connect to the fake network, and everything flows through the attacker's device first.
I walked around the coffee shop with a Wi-Fi analyzer. There were eight networks visible. I had no idea which was the legitimate one. An attacker could easily set up a convincing fake.
What Surprised Me Most
The scariest part wasn't what I could see. It was how easy it was to see it.
The tools I used are freely available. The techniques are well-documented online. You don't need to be a hacker or have deep technical knowledge. Anyone with basic computer skills and malicious intent could do this.
And I was being careful. I didn't attempt any actual attacks, just monitored my own traffic. A real attacker would be far more aggressive and could capture much more data.
The other surprise was how many people around me were obviously not protecting themselves. Without looking at their traffic, just by observing their devices on the network, I could see dozens of phones and laptops connected without any apparent security measures.
They were checking email, browsing, probably entering passwords and accessing sensitive accounts. All potentially vulnerable to anyone on the network with bad intentions.
The False Sense of Security
Many people think they're safe if the Wi-Fi network requires a password. That's partly true and partly dangerous.
A password-protected network encrypts traffic between your device and the router. That's better than completely open networks. But everyone who has the password can potentially decrypt that traffic.
In a coffee shop where the password is written on the wall, that's everyone. The encryption protects you from people outside the network, but not from other people connected to the same network.
And if the attacker controls the network, maybe they set up that evil twin access point, the password doesn't protect you at all. You're encrypting your traffic and sending it directly to an attacker.
When It Gets Personal
This wasn't just an academic exercise for me. I've used public Wi-Fi countless times without thinking about it. Airports, hotels, coffee shops, libraries. I've checked email, logged into accounts, maybe even accessed banking information.
After this experiment, I think about every time I did that without protection. What information might have been intercepted? Who might have been monitoring? What accounts could be compromised?
I'll never know. And that's what's scary.
I've heard stories of people having accounts hacked after using public Wi-Fi. Email accounts used to send spam. Social media accounts posting suspicious links. Even banking credentials stolen and used for fraud.
It always seemed unlikely, like something that happens to other people. Now I understand how easily it could happen to anyone.
How to Actually Protect Yourself
After seeing how vulnerable public Wi-Fi really is, I completely changed my approach.
Always use a VPN on public networks. A VPN encrypts all your traffic before it leaves your device, creating a secure tunnel through the public network. Even if someone intercepts your data, they can't read it.
I use a VPN now whenever I'm on any network I don't completely control. It's not paranoia, it's basic security hygiene.
Only visit HTTPS websites. Look for the lock icon in your browser. This encrypts traffic between you and the website, protecting against interception. Modern browsers warn about unencrypted sites, don't ignore those warnings.
Turn off automatic Wi-Fi connection. Your device should not connect to networks without asking. This prevents accidentally connecting to evil twin networks or untrusted access points.
Forget networks after you're done. Don't leave public networks saved in your device. If you saved "Coffee Shop WiFi" and an attacker creates a fake network with the same name, your device might automatically connect.
Use your phone's hotspot when possible. Your own cellular connection is more secure than public Wi-Fi. If you need to access something sensitive and don't have a VPN, use your phone's data instead.
Avoid sensitive activities on public Wi-Fi. Banking, password changes, sensitive work documents, anything you'd be devastated to have compromised. Save those for secure networks whenever possible.
The Reality Check
Public Wi-Fi is incredibly convenient. I'm not going to stop using it. But I'm going to use it safely.
The threats are real. The tools to exploit vulnerabilities are freely available. The number of people using public Wi-Fi without protection is staggering.
You might use public Wi-Fi hundreds of times without incident. But it only takes once. One attacker on one network intercepting one session could compromise your accounts, steal your identity, or expose your private information.
This experiment showed me that these aren't theoretical risks. They're practical, easy to exploit, and probably happening more often than we realize.
What I Do Now
Every device I own has a VPN configured. Before connecting to any public network, I start the VPN. It's become automatic, like putting on a seatbelt.
I check for HTTPS on every site I visit, especially if I'm entering any information. If a site doesn't use encryption, I don't use it on public networks.
I keep my firewall enabled and my software updated. Security patches often address vulnerabilities that could be exploited on public networks.
And I'm just more aware. When I see someone in a coffee shop casually entering credit card information over public Wi-Fi, I want to warn them. When I see passwords written on the walls for public networks, I cringe knowing how little security that actually provides.
The Bottom Line
I conducted this experiment to understand the actual risks of public Wi-Fi, not just the theoretical warnings everyone hears.
The reality is worse than I expected. The tools are easier to use, the vulnerabilities are more extensive, and the number of people at risk is larger than I imagined.
Using public Wi-Fi without protection is like having a conversation in a crowded room while pretending you're alone. Everyone can hear you. Most people aren't listening. But some might be.
Protect yourself. Use a VPN. Visit only encrypted sites. Disable automatic connections. Save sensitive activities for secure networks.
The convenience of public Wi-Fi isn't worth the risk of everything you do being visible to strangers with bad intentions.
I learned that lesson clearly. I hope you don't have to learn it the hard way.