An evil twin is a rogue Wi-Fi access point configured to impersonate a legitimate one. The attacker sets up their own access point — often just a laptop or a small dedicated device — and broadcasts the same network name (SSID) as a network people trust: "Airport_Free_WiFi," "Starbucks," your hotel's network, your office. To every phone and laptop in range, it looks like the genuine article.
Why the Network Name Proves Nothing
The crux of the attack is a design reality of Wi-Fi: the network name is not an identity, it's just a label. Anyone can name their access point anything. There is no certificate, no cryptographic proof, nothing that ties the SSID "CoffeeShop_Guest" to the actual coffee shop. When two access points broadcast the same name, your device generally connects to whichever has the stronger signal — and an attacker sitting closer to you, with a more powerful antenna, wins that contest easily.
Worse, your device helps the attacker. To make reconnection seamless, phones and laptops keep a preferred network list of every Wi-Fi name they've ever joined, and many will automatically associate with any access point advertising one of those names. An attacker can listen for the networks your device is probing for and conjure a matching evil twin on the spot.
Connecting to "the right network name" tells you nothing about who actually runs the access point. Open Wi-Fi gives your device no way to authenticate the network — only the network gets to decide what to do with your traffic.
How the Attack Unfolds
A typical evil twin operation runs in a few stages:
- Clone. The attacker broadcasts an access point with the target's SSID, often near a place where that network is expected (an airport lounge, a hotel lobby, a conference).
- Lure or force the connection. They wait for devices to auto-join, or actively send deauthentication frames that knock your device off the real access point — prompting it to reconnect, this time to the stronger evil twin.
- Sit in the middle. Once you're connected, all your traffic flows through the attacker's machine. They're now positioned for a man-in-the-middle view of everything that isn't independently encrypted.
- Harvest. Common follow-ons include a fake captive portal — a convincing "log in to continue" or "confirm your account" page designed to phish credentials — and attempts to downgrade or intercept connections that aren't strictly protected.
What an Evil Twin Can and Can't See
This is where the modern web has genuinely improved your odds — and where it's important to be precise rather than alarmist.
| Your traffic | Exposure to an evil twin |
|---|---|
| Properly encrypted HTTPS / TLS sessions | Contents protected — the attacker sees that you connected, but not the data, as long as you don't bypass certificate warnings |
| Which sites and servers you contact (metadata) | Visible — destination addresses and timing leak even over HTTPS |
| Anything sent over plain HTTP or unencrypted protocols | Fully exposed — readable and modifiable in transit |
| Credentials typed into a fake captive portal | Handed straight to the attacker |
The headline most articles bury: because the overwhelming majority of web traffic is now HTTPS, an evil twin can no longer simply read your passwords and messages off the wire the way it could a decade ago. The remaining danger is concentrated in two places — metadata leakage (the attacker learns where you go even if not what you say), and social-engineering layers like captive-portal phishing and tricking you into ignoring a certificate warning.
How to Defend Yourself
Treat certificate warnings as a hard stop
A correctly functioning HTTPS connection is your single best protection against an evil twin, because it authenticates the server even when the network is hostile. The one way an attacker defeats that is by getting you to click through a browser security warning. Don't. A certificate error on a public network is exactly the symptom an evil twin produces — treat it as a tripwire, not an inconvenience.
Use a VPN on untrusted networks
A trustworthy VPN wraps all your traffic in an encrypted tunnel before it reaches the access point, so an evil twin sees only opaque data to a single endpoint — denying it both content and most metadata. Understand the limits of a VPN: it moves your trust to the VPN provider rather than eliminating it, but on hostile Wi-Fi that's usually a trade worth making.
Disable auto-join and prune saved networks
Turn off "automatically join" for open networks, and periodically delete saved public Wi-Fi names so your device stops broadcasting that it's looking for them. Forgetting "Free_Airport_WiFi" after your trip removes one of the attacker's easiest hooks.
Be skeptical of captive portals
A legitimate captive portal almost never needs your email password, social-media login, or payment details to grant Wi-Fi access. Any "log in with your account to continue" page on public Wi-Fi deserves deep suspicion. When possible, prefer a personal hotspot or your mobile data for anything sensitive.
Don't rely on the lock icon alone for trust
WPA3-protected networks and enterprise Wi-Fi with proper server-certificate validation raise the bar significantly, because they give the client a way to authenticate the network. Open public Wi-Fi gives you none of that — which is why the assumption on any open network should be that someone may be listening.
The evil twin works because we taught our devices to value convenience — instant reconnection to a familiar name — over verification. The fix is to push the verification back up a layer: encrypt your traffic so the network can't read it, and authenticate the servers you talk to so the network can't impersonate them.
The Principle Underneath
Evil twin attacks are a clean illustration of a rule that runs through all of security: never let the transport layer be the thing you trust. The network you're on will sometimes be hostile, and you usually can't tell in advance. The durable answer isn't to find a "safe" network — it's to make the network irrelevant by encrypting and authenticating end to end, so that even an attacker sitting directly in your path sees nothing useful.
That's the same assumption Haven builds on. Your messages are encrypted on your device before they ever touch a network, so whether you're on your home router or a stranger's evil twin in an airport, the people in the middle see ciphertext and nothing more. A hostile access point should be a non-event — and with end-to-end encryption, it is.