Lukewarm take:
When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.
Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.
Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.
*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.
Actually, downgraded that take to "lukewarm", it should really not be controversial at all these days. It's been a hot minute since LetsEncrypt changed the HTTPS landscape!
What is beyond me is that such "security advice" still gets pushed. 
Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.
Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.
Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.
@stepan @rysiek @letsencrypt do you want to offer a random public wifi provider a fraction of your DNS traffic, or an VPN provider all of your DNS traffic? I think the later is worse.
Yes, VPN brings protection, but only if you run the server yourself.
Michał "rysiek" Woźniak · 🇺🇦
Štěpán Škorpil
Christoph Petrausch
viq