Why Open WiFi Networks Are No Longer Necessarily Dangerous (OWE and Enhanced Open)
For fifteen years, the standard advice was simple: never use public WiFi without a VPN. The concern was legitimate — open networks transmitted all traffic in cleartext, readable by anyone in radio range with a packet capture tool. Sitting in a coffee shop and watching an unencrypted HTTP session between a neighboring laptop and a banking site was technically trivial. Sniffing credentials required nothing more than Wireshark and proximity.
That threat model has changed in two independent directions: the web has largely moved to HTTPS, and WPA3 introduced Opportunistic Wireless Encryption for open networks. Neither development makes public WiFi unconditionally safe, but together they substantially reduce the practical risk of the scenario that drove the “always use VPN” advice.
How Open Networks Worked Before WPA3
A traditional open WiFi network — no password required — conducted all data transmission without encryption. The 802.11 frames carrying your web traffic, DNS queries, email, and application data were transmitted as cleartext radio signals. Anyone within radio range running a device in monitor mode could capture every frame and read the content.
The practical attack was passive and scalable: a single attacker could simultaneously capture traffic from all nearby devices without any active interaction with the network. The captured data could be stored and analyzed later. HTTP sites exposed login credentials, session cookies, and content directly. DNS queries revealed browsing patterns even when site content was encrypted. HTTPS sites were significantly safer — the transport layer encryption protected content — but the metadata (which domains were queried, when, how often) remained visible.
The HTTPS Shift
Between 2015 and 2022, the web’s encryption posture changed dramatically. Let’s Encrypt, launched in 2015, eliminated the cost and complexity barrier to HTTPS deployment. Google’s search ranking signal for HTTPS (introduced in 2014) and browser warning labels for HTTP sites (Chrome began marking HTTP as “Not Secure” in 2018) created strong incentives for site operators to migrate. Browser telemetry from 2025 consistently shows over 90% of web traffic in major markets traveling over HTTPS connections.
The implication: passive eavesdropping on public WiFi in 2026 captures encrypted content for the overwhelming majority of web sessions. An attacker watching HTTPS traffic sees server names, connection timing, and data volumes — meaningful metadata — but not the content of the sessions. The credential-harvesting attack that made public WiFi dangerous required cleartext HTTP to deliver useful results. Against HTTPS, it delivers substantially less.
Opportunistic Wireless Encryption
WPA3’s Enhanced Open mode — formally called Opportunistic Wireless Encryption (OWE) as defined in RFC 8110 — adds a second layer of protection at the WiFi radio layer, independent of whether the web traffic is encrypted.
OWE performs an ephemeral Diffie-Hellman key exchange between the client and the access point when the client associates. Both sides generate temporary key pairs, exchange public keys, and derive a shared session key. This key is unique to the session, generated fresh each connection, and never transmitted over the air — only the public components of the key exchange are visible to an observer. The shared key encrypts all subsequent WiFi frames between that client and the AP.
The result: traffic on an OWE-protected open network is encrypted at the radio layer even though no password is required. An eavesdropper capturing radio frames cannot decrypt them without the session key, which was never transmitted. This eliminates the passive eavesdropping attack entirely, regardless of whether the application layer traffic is HTTPS or HTTP.
What OWE Does Not Protect Against
OWE is not authentication. It encrypts traffic between the client and the AP, but it does not verify that the AP is legitimate. A rogue access point — an attacker-controlled AP with the same network name as the genuine coffee shop WiFi — can offer OWE encryption. The client connects, the traffic is encrypted between the client and the rogue AP, and the rogue AP decrypts it on the other side before forwarding it onward. The client’s traffic is protected from other clients and passive eavesdroppers, but not from the operator of the network itself.
This is the remaining threat model for public WiFi: a malicious or compromised network operator. This is a more targeted and active attack than passive eavesdropping, and significantly rarer. A VPN provides protection against this scenario because traffic is encrypted end-to-end beyond the AP, preventing even the network operator from reading content. For users handling genuinely sensitive information — financial accounts, business credentials, confidential communications — on public networks, a VPN remains the appropriate defense against this specific threat.
For casual browsing, checking news, using social media, or other low-sensitivity activities on a public network with OWE support: the risk profile in 2026 is meaningfully lower than it was in 2015. The scenario that warranted categorical “never use public WiFi” advice — passive credential harvesting — requires either an attacker-controlled AP or a failure of both HTTPS and OWE simultaneously.
Checking for OWE Support
OWE-protected open networks advertise in the same way as standard open networks — no password prompt appears. The difference is visible in the WiFi security details if you look for them: on Android, the network’s security field will show “Enhanced Open” or “OWE.” On iOS, the information panel for a connected network indicates if Enhanced Open is in use. Most operating systems updated after 2021 support OWE clients automatically.
Not all public WiFi access points have been updated to offer OWE. The rollout depends on venue operators updating their hardware and firmware. A hotel or airport network running equipment installed in 2018 is likely still offering a traditional open network. The same hotel that upgraded to WiFi 6 hardware in 2022 or later is likely offering OWE.
The safest approach for public WiFi in 2026: treat OWE networks as reasonably safe for most activities, continue using HTTPS-verified sites for sensitive sessions, and deploy a VPN for any scenario involving confidential professional data or authentication credentials to critical accounts. The categorical VPN requirement for all public WiFi is less defensible than it was a decade ago, but the VPN habit remains sensible for the residual threat surface.