Secure Roamer

Practical security intel for independent travelers

Binary code and digital security visualization

How to Tell If a Wi-Fi Network Is Safe

July 11, 2025 · 4 min read

I've lost count of the number of sketchy Wi-Fi networks I've met—Airbnb routers with default admin passwords, airports with fake hotspots, cafés running decade-old firmware. Instead of rolling the dice each time, I run a quick triage before I let any new network touch my devices. This checklist takes less than five minutes and has saved me from credential theft more than once.

Binary code and digital security visualization

Photo: Unsplash / Markus Spiske

1. Inspect the Network Name and Setup

  • Does the SSID look official? If the café is “Café Rio,” the network should not be “Free_Public_WiFi_01.” I confirm with staff before connecting.
  • Check for duplicate SSIDs. Attackers clone names. On macOS, I click the Wi-Fi icon while holding Option to view BSSID (MAC address) and channel. Multiple identical SSIDs on different BSSIDs/channels? Suspicious.
  • Security protocol. WPA3 and WPA2 are acceptable. WPA/WEP or “open” networks get a hard no unless I’m using a VPN and virtual machine.

2. Examine Router Hardware

If it’s an Airbnb or hostel where routers are visible:

  • Look at the back label. If the admin password is still “admin/admin,” assume the firmware is outdated.
  • Check for manufacturer names. TP-Link Archer C7? Fine. Random no-name router? I tread carefully.
  • Peek at the blinking lights. Constant activity even when no one is online can mean background traffic or malware.

3. Assess the Captive Portal

  • After connecting, open a browser and enter http://neverssl.com. If a captive portal appears, note how much data it demands. I only enter email if necessary; phone numbers go to a burner Google Voice account.
  • Read the terms. Some portals inject ads or traffic shaping. If they list “monitoring of traffic,” I treat it as hostile.

4. Run Quick Diagnostics

  1. Ping test: ping -c 4 1.1.1.1. High latency (>200 ms) often signals congestion or throttling.
  2. DNS check: nslookup example.com. If responses come from odd IPs, someone may be spoofing DNS.
  3. Port scan: nmap -p 1-1024 --reason hotspot.gateway.ip. I’m looking for unexpected open ports like Telnet (23) or FTP (21).
  4. ARP scan: arp -a. A sudden flood of entries could indicate ARP spoofing.

5. Evaluate Encryption and Certificates

  • Visit https://www.cloudflare.com. If the TLS certificate warning pops up, bail. Interception or proxying might be happening.
  • Use curl -I https://example.com. Check the response headers. If you see additional Via headers referencing the hotspot vendor, they’re proxying traffic.

6. Decide Risk Level and Respond

| Risk Level | Indicators | My approach | | --- | --- | --- | | Low | WPA3/WPA2, official SSID, no captive portal, normal latency | Connect via travel router + VPN, proceed | | Medium | Open network, captive portal asking for info, old router | Use VPN + firewall, avoid sensitive logins | | High | Certificate warnings, duplicate SSIDs, unexpected redirects | Don’t connect. Switch to LTE/eSIM |

7. Harden Before Logging In

If I decide to use the network:

  • Enable firewall on macOS (pfctl) or Windows Defender Firewall.
  • Launch VPN (Mullvad WireGuard). I prefer multi-hop (e.g., Netherlands → Canada) when networks are sketchy.
  • Use my GL.iNet travel router. All my devices connect to it, not the hotel directly. The router handles captive portals once; everything behind it inherits the secure tunnel.
  • Force DNS via DoH/DoT. I run cloudflared on the router so all DNS requests travel encrypted.

8. Monitor Actively

  • Little Snitch (macOS) alerts me to new outbound connections. If I see something like 123.45.67.89:9001, I investigate.
  • NetSpot or WiFi Analyzer (Android) shows signal strength and overlapping channels. If a new, stronger signal appears with the same SSID, I assume evil twin.
  • TripMode blocks data-hungry apps (Dropbox, iCloud) until I’m on a trusted network.

9. Plan B Networks

I always travel with alternatives:

  • Airalo eSIM for regional data. Load 5 GB pack before arrival.
  • Local SIM purchased at airport or mall. Insert into a spare phone or router.
  • Offline-first tools so I can work without internet (Obsidian for notes, Cron calendar with offline cache, 1Password local sync).

Real World Example: Warsaw Co-Living Space

  • SSID looked normal but there were two copies. macOS showed different BSSIDs; one had signal strength 20 dBm stronger.
  • Captive portal requested passport numbers—hard pass.
  • curl test revealed self-signed certificate injection.
  • Decision: tethered to Orange Poland LTE via phone, used travel router to distribute bandwidth. Later, I politely told the manager. Turns out the building had a rogue access point someone installed.

If You Already Connected to a Bad Network

  1. Disconnect immediately.
  2. Disable Wi-Fi auto-join for that SSID.
  3. Run malware scans (Malwarebytes, Windows Defender).
  4. Change passwords for any services you accessed during the session.
  5. Rotate authentication tokens (Slack, GitHub) if you saw weird prompts.

Final Thoughts

You can’t control every network, but you can control your paranoia level. A five-minute checklist beats discovering your banking credentials in a data dump. Trust your gut—if the captive portal feels off, or the staff seems unsure of the password, default to LTE. There will always be another café with better Wi-Fi and less drama.

Explore More Topics