For fifteen years, the standard advice was simple: never use public WiFi without a VPN. The concern was legitimate — open networks transmitted all traffic in cleartext, readable by anyone in radio range with a packet capture tool. Sitting in a coffee shop and watching an unencrypted HTTP session between a neighboring laptop and a banking site was technically trivial. Sniffing credentials required nothing more than Wireshark and proximity. That threat model has changed in two independent directions: the web has largely moved to HTTPS, and WPA3 introduced Opportunistic Wireless Encryption for open networks.

WPA3 has been the current WiFi security standard since 2018. WPA2, its predecessor, has been deployed since 2004 and remains the majority protocol on networks worldwide. The gap between them is not cosmetic — there are genuine security improvements in WPA3 — but the threat model that justifies urgency depends on who is operating the network and what data crosses it. What WPA2 Actually Provides and Where It Falls Short WPA2 introduced AES-CCMP encryption to WiFi, replacing the broken WEP and transitional TKIP protocols that preceded it.