[delish]

Can I ask why you don't [seem to] use a VPN?

The reason I ask is, I'm under the impression that a VPN definitively mitigates this kind of attack. I'd have to change my habits if it turns out a VPN is not a one-stop-shop solution for this kind of attack. And, in case convenience matters to you: an enabled-by-default VPN is also less configuration and fewer manual steps than turning on HTTPS everywhere and blocking all unencrypted requests.

[geofft]

I haven't evaluated VPN providers enough to decide if there's one I trust. An evil VPN (or an insecure one taken over by evil people) is in an extremely easy position to MITM my HTTP traffic: it's technically easier than MITMing wifi traffic, and they also know my identity (either because I paid with a real-world identity, or they have logs of where I'm connecting from and what I'm connecting to).

For performance reasons I don't want an always-on VPN; I trust my home wifi, my phone's hotspot, etc. at least as much as I trust any VPN I could use, so I wouldn't get any benefit from it.

I suppose the thing I should actually do is route over an SSH SOCKS tunnel to some server I control, which would work fine.

(A thing I have wanted for a while is a configuration that does this for HTTP and lets HTTPS through normally for performance, which now that I think about it, I can probably just write a proxy PAC file to do ... thanks, I'll see if I can improve my setup.)

[laumars]

> I suppose the thing I should actually do is route over an SSH SOCKS tunnel to some server I control, which would work fine.

This is what I do. The only danger with that over a regular VPN is anything not part of your browsers standard stream will not be sent over the proxy. This includes browser plugins as well. Thankfully Flash and Java are generally disabled by default, but it's still worth baring that limitation in mind.

Despite this, SSH SOCKS is still my preferred method as well.

[js2]

Use Algo on a droplet.

[shujito]

how secure is it?