RASIMENE
Blog
VPN·March 12, 2026·7 min read

Is the train station Wi-Fi really dangerous in 2026?

You hear everything and its opposite. An honest answer, grounded in what HTTPS actually protects today — and what it still doesn't.

ME
Mohamed ESSID
Founder — Trasimène

What HTTPS actually protects

Since 2018, HTTPS has become the absolute standard of the web. Thanks to the Let's Encrypt initiative and browser policies (Chrome and Firefox flag HTTP sites as 'not secure'), over 95% of global web traffic is encrypted via TLS.

This encryption protects the content of your exchanges end-to-end: your passwords, bank card details, messages, and files. Someone intercepting your Wi-Fi traffic sees only cryptographic noise — they cannot read what you send or receive.

Public Wi-Fi in 2026 is therefore fundamentally less dangerous than in 2015 for direct data interception. Most alarmist advice you read is inherited from an era when HTTP was still ubiquitous.

What it doesn't protect

HTTPS does not hide metadata. On a network you don't control, an observer can see which domain you're connecting to (not the exact URL, but the domain — thanks to the SNI visible in plain text during the TLS handshake), at what time, for how long, and how much data is exchanged. These metadata are revealing.

An attacker on the same network can also perform DNS spoofing if your device doesn't use DNS over HTTPS — replacing legitimate DNS responses with addresses pointing to their own servers. They can create a fake hotspot with exactly the same name as the legitimate Wi-Fi (Evil Twin attack) to intercept your connections before they reach the internet. They can also attempt SSL stripping on the rare sites that don't have HSTS enabled.

Real risks in 2026

In practice, the residual risks on public Wi-Fi in 2026 are as follows:

  • Evil Twin: a rogue Wi-Fi network carrying exactly the same name as the legitimate one — a technique particularly common in airports and major train stations. You connect to what looks like the right network, but your traffic passes through equipment controlled by an attacker.
  • DNS spoofing if your device doesn't force DNS over HTTPS — your DNS queries can be redirected to malicious servers.
  • Apps that still use plain HTTP for some functions (authentication, sync) — rare in 2026 but they exist.
  • Session hijacking on sites without properly configured Secure and SameSite cookies.

Practical recommendations

On a public Wi-Fi network, activating your VPN before any connection remains the best practice. A VPN eliminates the Evil Twin attack (your traffic is encrypted before it even leaves your device) and DNS spoofing (your VPN uses its own encrypted DNS servers).

Disable Wi-Fi auto-connect on your phone — this is the feature that automatically connects you to any network with a name you've used before. It's convenient, but it's exploited by Evil Twin attacks.

Verify that sensitive sites (banking, email, shopping) display the HTTPS padlock in your browser before entering anything. On iOS and Android, serious apps enforce HTTPS natively.

Trasimène automatically activates DNS over HTTPS filtering on unsecured networks and alerts you if a suspicious network is detected (potential Evil Twin).

Public Wi-Fi is less dangerous than it was ten years ago, but that's no reason to let your guard down. Residual risks — Evil Twin, DNS spoofing, misconfigured apps — are real and exploitable. With a VPN enabled and DNS over HTTPS, you're protected against virtually all practical attacks on an unsecured network.

Trasimène — Mobile security

Enable Trasimène VPN

Download Trasimène →
Back to blog