Is public WiFi safe without a VPN?

Domain names: when you visit `nytimes.com`, the SNI field in the TLS handshake reveals the domain even though the URL path and content stay encrypted. Anyone passively sniffing the network sees the list of sites you visit.

DNS lookups: still typically unencrypted unless you've enabled DNS-over-HTTPS or DNS-over-TLS. The whole list of every site your device queries is visible.

App traffic without TLS: rare in 2026 but not zero — some legacy apps and IoT devices still send tokens or telemetry in clear text.

An attacker sets up an SSID called `Hilton-Guest` next to the actual hotel network. Your device joins the strongest signal. The attacker's box now sees all your DNS, can serve you fake captive-portal pages that ask for credentials, and can MITM anything that doesn't pin certificates strictly.

A VPN defeats this entirely: even on a hostile network, the only thing the attacker sees is encrypted traffic to your VPN provider's IP.

Three concrete benefits on public WiFi: it hides DNS lookups from the network, it hides the SNI domain stream, and it makes evil-twin attacks pointless because you tunnel out of the local network before doing anything.

Practical recommendation: treat public WiFi as untrusted, use a VPN if you're going to do anything that involves logging in, and if you're not, just rely on HTTPS — which is doing most of the work today.