The real threats in public Wi-Fi
Let’s separate facts from paranoia. The most common threats in public Wi-Fi are: Man-in-the-Middle (MITM) attacks: Someone positions themselves between your Mac and the router and intercepts traffic. HTTPS mitigates this for web browsing, but not all app traffic uses HTTPS. Fake hotspots: Someone creates a fake Wi-Fi network with a legitimate name ("Starbucks_Free_WiFi"). You connect, and all traffic is monitored. Packet sniffing: In open (unencrypted) networks, anyone can capture network packets. HTTPS encrypts content, but metadata — which servers you contact, when, how often — is visible. ARP spoofing: A technical attack that redirects traffic within the local network.
Why HTTPS alone isn’t enough
"But everything is encrypted with HTTPS!" — that’s partly true but misleading. HTTPS protects the content of web traffic. An attacker cannot read your emails. But they CAN see: which domains you contact (DNS queries are often unencrypted), timing and volume of your traffic (metadata), and any app traffic that doesn’t use HTTPS. Many desktop apps still use unencrypted connections for some functions. Update checks, analytics pings, and telemetry often use HTTP. More importantly: your Mac background apps don’t know they’re on a risky network. Dropbox syncs, email clients fetch, and analytics SDKs phone home.
Step 1: Secure your apps
The most effective protection is reducing your attack surface. Most of your apps don’t need internet access on public Wi-Fi. With a per-app firewall like NetMute, create a 'Public Wi-Fi' network profile that only allows essential apps: browser, VPN client, maybe email. Everything else is blocked. This prevents: background apps leaking data over untrusted networks, unnecessary connections revealing metadata, and apps syncing large data over potentially monitored connections. NetMute can automatically activate this profile when you connect to an untrusted network.
Step 2: Use a VPN (but understand its limits)
A VPN encrypts all your traffic and routes it through a secure tunnel. This prevents local attackers from reading your data. Use a reputable VPN on any public network. But a VPN doesn’t solve everything. It doesn’t stop your apps from connecting — it only encrypts the connection. An app leaking data to a tracker still does so. The tracker still receives your data; they just have a encrypted tunnel. VPN + per-app firewall is the ideal combo: the VPN encrypts, the firewall controls access.
The complete protection setup for public Wi-Fi
Here’s the step-by-step setup we recommend: 1. Before connecting: activate your VPN and switch to a restrictive network profile in NetMute. 2. After connecting: allow only essential apps (browser, VPN, email). Block everything else. 3. Watch for warnings: NetMute alerts you to suspicious network behaviour like captive portals. 4. After use: disconnect from the public network. Your normal profile is restored automatically. 5. Best practice: never use sensitive accounts (banking, admin panels) on public Wi-Fi if possible. With this setup, public Wi-Fi becomes manageable and less risky.