To see what OWE fixes, start with what an open network actually is. When you join a Wi-Fi network with a password, your device and the access point run a handshake that produces unique encryption keys, so the data flying through the air is scrambled. An open network skips that handshake entirely. There is no shared secret to derive keys from, so the frames go out unencrypted. Anyone nearby with the right software can capture them, and on a busy network that means capturing everyone's.
The traditional answer was to tell people to use a VPN or to trust that HTTPS covers them. Both help, and you should still use transport encryption, but neither addresses the underlying fact that the wireless link itself is broadcasting in plaintext. OWE, standardized as RFC 8110 and certified by the Wi-Fi Alliance under the name Wi-Fi CERTIFIED Enhanced Open, encrypts that link even though no one typed a password.
How you get a key from nothing
The trick is that a password was never actually required to establish encryption. It was required to establish encryption plus authentication at the same time. OWE separates those. It uses a Diffie-Hellman key exchange when a device associates with the access point, so the two sides derive a shared secret over the air without any pre-shared password. From that secret they generate the same kind of per-session keys a password-protected network would, and the traffic is encrypted from then on.
The important property of a Diffie-Hellman exchange is that a passive eavesdropper who records the whole conversation still cannot compute the resulting key. Each client that joins gets its own independent exchange and therefore its own keys. One person on the network cannot decrypt another person's traffic, which is a sharp improvement over legacy open Wi-Fi where everyone shared the same absence of protection.
OWE gives every device on an open network its own encrypted link with the access point, derived through Diffie-Hellman, with no password to enter. Passive sniffing of your traffic by others on the same network stops working.
The limit you have to understand: no authentication
Here is where honesty matters, because OWE solves one problem cleanly and leaves another untouched. It encrypts the link, but it does not authenticate the access point. Since there is no password and no certificate, your device has no way to confirm that the access point it just encrypted a session with is the real coffee-shop network rather than an impostor a few tables away.
That gap keeps the door open to an active attacker. Someone can stand up an evil twin, an access point that advertises the same network name, and if your device connects to it, the attacker sits in the middle of an encrypted-but-attacker-controlled link. The encryption is real, but it is encryption to the wrong party. OWE stops the casual passive eavesdropper. It does not, on its own, stop the attacker willing to run their own rogue access point and lure you onto it.
| Wi-Fi mode | Link encrypted? | Access point authenticated? |
|---|---|---|
| Legacy open | No | No |
| Enhanced Open (OWE) | Yes, per client | No |
| WPA3-Personal (password) | Yes, per client | Shared secret proves both know the password |
Where OWE fits, and transition mode
OWE arrived alongside WPA3 as part of the same generation of Wi-Fi security improvements, and it is aimed squarely at the networks that will never have a password: cafes, airports, hotels, libraries, public spaces. For those, the realistic comparison is not OWE versus a password network. It is OWE versus nothing, and against nothing it is a clear gain.
Because not every device supports Enhanced Open yet, the standard defines a transition mode that lets an access point offer both an OWE-protected network and a legacy open one under the same name, so older clients still connect while newer ones automatically get encryption. It smooths adoption, though it also means a device that silently falls back to the open version is back to plaintext, which is worth remembering when you rely on the encryption being there.
Enhanced Open removes the excuse that public Wi-Fi has to be unencrypted. It does not remove the need to verify who you are actually talking to, which is a job for the layers above the radio.
What to actually do about public Wi-Fi
OWE is a reason for cautious optimism, not a reason to relax. Treat it as one layer that removes the easiest attack against you on an open network while leaving the harder ones in place. The practical posture has not really changed.
- Keep encrypting above the link. HTTPS, and end-to-end encryption in your messaging and email, protect your content regardless of what the Wi-Fi does or does not do. That protection holds even against an evil twin, because the attacker controlling the radio still cannot read a properly end-to-end encrypted payload.
- Do not assume authentication you were not given. An encrypted link is not proof you are on the real network. Be wary of networks that appear unexpectedly or duplicate a familiar name.
- Prefer networks that show as Enhanced Open, when you have the choice, over ones that are fully open, since the former at least closes off passive sniffing by others sharing the air with you.
The through-line connects to how good security is built in general. No single layer is the whole answer. OWE hardens the wireless hop, transport encryption hardens the path across the internet, and end-to-end encryption protects the message itself so that even a compromised network cannot read it. Haven's encryption lives at that top layer for exactly this reason: the safest assumption is that the network under you is hostile, and to make sure your content survives it anyway.