As other folks have already covered, most modern websites use TLS (formerly SSL) which will encrypt any thing going to/from those sites. Someone could redirect a page to a server they own and try to get you to enter your credentials into their site for harvesting, though you’d probably notice due to errors related to the security certificate. There is a risk here, but it’s not all that bad. Just pay attention to any security errors and maybe don’t go to high value sites (e.g. banking websites). There are some highly technical attacks (e.g. TLS downgrade) which could pose a risk. But, it’s not all that likely, and you’re probably fine. For the most part, you can ignore the “zomg! you need a VPN” ads clogging up YouTube. Yes, they have a use case. No, that’s probably not you.

The other consideration is the security of your system itself. If you are running and old and vulnerable OS, it’s possible that an attacker could use the greater exposure to attack your system. For example, if you are running a Windows 7 system, there’s a real chance that you don’t have the EternalBlue patch applied or some other remote exploit vulnerability can be used to compromise your system. Even with a newer OS, if you haven’t been installing updates, you could have some holes which would allow an attacker in. Though, for most situations, there’s not going to be an attacker just waiting to pounce on your system. So, you probably don’t need to be worried. But, it’s also a good reminder to keep your system up to date, if you’re going to be using WiFi regularly. Some folks just get bored and start poking at anything around them. Make sure the doors are locked when those folks rattle the handle. It can also be useful to have a host based firewall running, even just setting the network to “Public” in Windows will do a lot to mitigate this risk.

Security is always going to come down to a trade off between risk and convenience. Public WiFi can be very useful, but it does carry some risk. In most situations, you can mitigate that risk by keeping your system up to date, having a host based firewall running (even if its just Windows setting the network to “Public”), watching URLs/Links carefully and watching for certificate errors in your browser.

On the Privacy side, assume someone can track the domains you are visiting (though likely not the full URL). If you use normal DNS, the network owner can look at DNS logs and know all the sites you visited. Even if you use a different DNS server, the network owner could be sniffing the packets on the wire (DNS is not encrypted). Additionally, WiFi is logically a bus topology; so, anyone on the same network could be sniffing packets and also get all your DNS traffic. This is a good use case for DNS over HTTPS (DoH). With DoH, you can stick to a DNS provider of your choice and get TLS encryption to keep things private. Anyone sniffing packets would know that you are using DoH and would likely know what provider you are using, but not see the contents of the DNS queries.

Of course, even with DNS traffic encrypted, most web servers still rely on Server Name Identification (SNI) to determine the host you are connecting to. The end result of this is that the domain you are visiting is sent, unencrypted over the wire and could be sniffed. There are solutions for this (e.g. eSNI), but they are not widely adopted yet. So, assume that anyone sniffing packets can get a list of the domains you are visiting. If this poses a serious risk to your safety (e.g. you are a journalist working in a repressive regime), this is a use case for a VPN. Though, using a VPN may be obvious to anyone monitoring and they could apply Rubber Hose Cryptanalysis to the problem.

The tl;dr of this all is, you’re probably fine. The fact is, it’s more likely that no one gives a shit about you and all the other folks on that public WiFi are too busy looking at cat pictures to try and hack you. A few simple security hygiene things will cover the 99% situation, and the other 1% isn’t worth worrying about.

Unless websites use the very latest version of SSL at the very least the hostname you connect to (the Server Name Indication field) is visible. As are your DNS queries unless you use DoT or DoH or DNSCrypt or some similar encrypted DNS protocol.

Until very recently most browsers also defaulted to using http for any address you typed into the address bar without a protocol so your first request was HTTP and could redirect you to an entirely different website. DNS spoofing would work just fine with this since the website you actually connect to over https after the redirect is already attacker controlled and has a certificate for hat attacker controlled domain (e.g. with replacement unicode characters that look virtually identical to the original website domain name).

The router can also see your Mac address so they might have a unique identifier to track you across open Wifi networks (if we are talking commercial country-wide installations run by one company).

Many gaming protocols also do not use TLS encryption since they rely on UDP and while there are encryption variants for that gaming is often unreasonably optimized for speed over everything else.

So in summary, in general, yes, the network you are connected to can be dangerous and can learn some information about your network usage.

Do you know for sure that all traffic out of your devices is properly encrypted? Do you know for sure that non of your devices is listening on a port in an unsecured or vulnerable way?

Realistically, a public WiFi is not that big of a deal as it used to be before almost everything moved to authenticated and encrypted protocols, but there are still plain protocols being used all the time (dns for example) and unless your devices are super up to date you will probably have some possible security issues.

Given the choice you should use a private WiFi, second best is a VPN over a public WiFi, third is a plain public WiFi.

We are past the days of connecting to an attacker controlled WiFi means you are owned, but you are still at a privacy risk and some security risk.

Using public WiFi can be dangerous. I still use the hotel wifi when traveling though.

But if I’m doing anything important I’ll turn on my vpn for extra protection because you do not know who is snooping on your data.

A lot of data being transmitted is encrypted but the person in the middle could still see which sites you are accessing, just not the content.

There are some attacks that can downgrade your connection so the stuff is not encrypted, but I don’t think that is very likely to happen due to other safety mechanisms.

In addition to this, even someone collects your encrypted internet traffic, they can’t see what the data is. But once quantum computers are accessible, they can easily break the encryption and look at everything.

I don’t believe quantum resistant encryption is currently being used for https connections.

Another thing that could do is make sites take you to an imposter site. So google.com could take you to a clone of that site and try to get you to log in and reveal your password and email address.

You could also perform an ssl downgrade attack on some systems, if you own the wifi, you can just redirect to malicious pages (i.e. rebuild the steam page and have them log in), etc.

Fear the man in the middle

Reminds me of my last time at the Chaos Communication Congress where suddelny Wikipedia was throwing SSL errors. Back then they also had a projector set up to display people’s passwords they had gathered. Now I’m curious if they still do that. Probably.