As you travel this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But these days? Friend, go for it.

This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)

But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

SIGN UP TODAY Sign up for the Daily newsletter and never miss the best of WIRED.

“A lot of the former risks, the reasons we used to warn people, those things are gone now,” says Chet Wisniewski, principle researcher at security firm Sophos. “It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel.”

In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off.

All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.

HTTPS All Over

Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED’s servers to your browser and back. That encryption is enabled by what’s knowns as Hypertext Transfer Protocol, with the ‘S’ standing for Secure. The most important thing to know about HTTPS, though, is that it obviates most of the attacks that (rightly) scared you off of public Wi-Fi in the first place.

“If you’re in the US, the web is pretty well encrypted. It’s unusual to go to a website that matters and it’s not HTTPS,” says Tod Beardsley, director of research at security firm Rapid7. “Because of that, the threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped.”

"A lot of the former risks, the reasons we used to warn people, those things are gone now." Chet Wisniewski, Sophos

Just how dramatically? Consider that as recently as March 2016, only 21 of the web’s top 100 sites used HTTPS by default. Today, that number has flipped. Seventy of the top 100 sites have HTTPS switched on by default, with nine more offering HTTPS compatibility. Many of the holdouts are based in China. As of January 2017, more than half of the web was encrypted. Today, about 84 percent of websites loaded through Firefox have HTTPS enabled. And yes, that includes porn.

HTTPS has some arguable drawbacks. Mainly, there’s virtually no barrier to getting HTTPS certification, which has made it attractive for criminal groups hoping to add an air of authenticity to bogus sites. That little green padlock guarantees that you’re sending data encrypted, but not that the person on the receiving end has scruples.

But that has nothing to do with hotel or airport Wi-Fi. You can fall for those scams no matter how you’ve connected to the internet. And using that approach to target those specific locations hardly seems worth it in practice.

“You’d have to get a soundalike domain name, register that, then get an encryption certificate, then get someone to go to your site,” says Beardsley. “I don’t know how successful an attack would be to set up my rogue Wi-Fi, wait for people to mistype a URL, and come to my fake bank site. I’m not super sure that’s a very valuable attack. You’re going to be waiting a long time for that typo.” Especially given another, slightly less recent change in how we use the web: So few people actively type URLs that Google has considered doing away with them altogether.