I often work from cafés and public WiFi — what do I need?
Public WiFi introduces a specific threat that antivirus alone doesn't address: network-level exposure. On an open or shared network, other devices on the same network can potentially intercept unencrypted traffic, attempt to redirect connections, or probe your machine for open ports. Antivirus protects against malware on your device — it doesn't encrypt your traffic or prevent network-level interception.
Quick answer
When it matters
- Unencrypted traffic — HTTP connections (not HTTPS) on a shared network are readable by anyone with packet capture tools; most modern sites use HTTPS, but not all
- Evil twin attacks — a malicious hotspot mimics a legitimate network name to intercept connections before they reach their destination; a VPN mitigates this by encrypting traffic regardless of which network you're on
- ARP spoofing — an attacker on the same network can redirect traffic intended for the router through their own device; a VPN encrypts the content of redirected traffic
- Port scanning — devices on the same network can probe your machine for open ports and services; a software firewall limits exposure; Windows Firewall should be active on public network profiles
The practical risk level on public WiFi varies significantly by location. A coffee shop with 20 regular customers is different from a coworking space shared with unknown parties. If you're handling sensitive data — business email, financial accounts, client information — the risk calculus justifies a VPN. For casual browsing on HTTPS sites, the practical exposure is lower.
When it fails
- Malware already on your device — a VPN encrypts network traffic; it doesn't remove or detect software-level threats; AV remains the relevant tool for that layer
- DNS leaks — some VPN implementations don't route DNS queries through the encrypted tunnel; verify your VPN client doesn't leak DNS to the local network
- VPN trust — your encrypted traffic goes through the VPN provider's servers; if the VPN provider is untrustworthy or subject to data requests, the traffic is visible to them instead of the local network; jurisdiction and no-logs audit status matter here
Using public WiFi with a VPN and up-to-date AV covers both the network-level and device-level threat surfaces. Enabling Windows Firewall on public network profiles adds a third layer by limiting what services are exposed to the local network.
How providers fit
F-Secure Total fits if trust in both the AV and VPN components matters. Unlimited VPN on F-Secure's own infrastructure, not a third-party VPN with an F-Secure label. Finnish company, EU jurisdiction, no data monetization policy across both components. One of the stronger privacy-oriented options in this combined category.
Norton 360 fits if an established brand with unlimited bundled VPN is the priority. All 360 plans include unlimited VPN — no daily cap. The VPN no-logs claim hasn't been verified by a named third-party auditor; relevant if VPN trust is part of the decision. Practical for users who want device protection and public WiFi coverage in one subscription.
Bitdefender includes VPN in Total Security with a daily data limit on the standard plan; Premium Security removes the cap. The AV component is top-rated. If daily WiFi usage is extensive, verify whether the VPN data cap fits actual usage before selecting the lower-tier plan.
The public WiFi risk is a network-privacy problem, and the solution is a VPN. AV is a separate, complementary layer that remains relevant regardless of network. If you need both, F-Secure Total has the strongest combined trust posture; Norton 360 is practical if brand trust and unlimited VPN are the priorities; Bitdefender if detection quality is paramount and the VPN data cap fits usage.
Related
Where to go next
© 2026 Softplorer