Australians love free Wi-Fi. Libraries offer it, shopping centres offer it, fast-food chains offer it, the council offers it in the park. For the most part this is great — it's a public good that takes pressure off mobile data plans. But "free and convenient" doesn't always mean "as private as your home network", and the difference is worth knowing before you start doing your banking on the food court.

Not all public Wi-Fi is the same

There's a quiet hierarchy of "how safe is this network, really" that most people never think about. Roughly:

Open, no password, no captive portal. The worst. Anyone in range can join. Anyone on the network with the right tools can watch traffic that isn't otherwise encrypted. Common at small cafes and on tourist-heavy strips.

Open, with a captive portal “accept terms” page. A bit better — the operator at least knows who's connected and can throttle abuse — but the actual radio link is still open. This is most airports, shopping centres and fast-food restaurants.

Open, with a WPA2/WPA3 password the staff give you. Better still — the radio link is encrypted — but the password is shared with every other guest. Most cafes and hotels.

Private network you're a member of, like a workplace. Generally safer, but only as safe as the workplace's IT setup.

What is actually risky on Aussie public Wi-Fi

It's worth being calm about this. Most modern apps and websites use HTTPS, which encrypts the connection between you and the service regardless of the network — banks, email providers and major sites are all on HTTPS. So if you're using a well-maintained app on a typical network, you're already encrypted end-to-end at the application level.

Where things go pear-shaped:

  • Old apps that aren't HTTPS-only. Some niche apps, internal tools and older sites still send some traffic in the clear. On public Wi-Fi, that's visible to anyone snooping.
  • DNS lookups. Even with HTTPS, the names of the sites you visit are usually visible in DNS queries unless you've explicitly enabled DNS-over-HTTPS or are using a VPN.
  • Captive portals injecting content. Some networks inject ads or tracking into pages. Less common in Australia than in tourist destinations overseas, but it does happen.
  • Evil Twin networks. A laptop in the corner broadcasting "Free_Airport_WiFi" alongside the real airport network. People connect to the wrong one and the fake operator sees everything.

What a VPN does about it

A VPN encrypts everything between your device and a VPN server, including DNS lookups and the names of sites you visit. The network operator and anyone else on the network see encrypted traffic going to a known VPN provider — not the apps you're using.

It also blunts Evil Twin attacks. Even if you accidentally connect to a fake network, the VPN tunnel is set up before any meaningful data leaves your device, and the fake operator can't see inside it.

An Aussie-friendly checklist

  • Treat any open network as semi-public. Skip activities you wouldn't do on someone else's laptop.
  • Don't log into MyGov, ATO, banking or government services on open Wi-Fi unless you have to. Use mobile data or a VPN. These accounts unlock a lot if compromised.
  • Turn off "auto-connect to known networks" on your phone. Evil Twin attacks rely on your phone silently joining anything that looks familiar.
  • If a network has the same name as one you've used before but no padlock icon, be suspicious. Forget it and pick another.
  • Use a VPN on anything that's open or shared. One tap, one less thing to worry about.
  • Keep your phone and laptop OS up to date. Half the protection on a public network is just being patched.

The point

Public Wi-Fi in Australia is mostly fine, mostly. The problem is "mostly" isn't great when you're logging into your bank. A VPN takes "mostly" off the table — private on every network, every time, with the same low-friction tap.

Arresti VPN is Australian-owned, veteran-owned, with a strict no-logs policy. One subscription covers up to 5 devices. Sign up here — AUD $3.99/month, with a 30-day money-back guarantee.