If I'm using a wifi network I don't really trust (coffeeshops, airports, etc.), I'll turn on HTTPS Everywhere and further enable "Block all unencrypted requests," effectively giving me "HTTP Nowhere."
This works for most things - for a few things I'll open an incognito window in Chrome, which simultaneously turns off extensions and doesn't send my original cookies, and I'll be careful about what I do in that window (certainly no logins to sites I care about). This is generally enough for e.g. reading some random news site that doesn't support HTTPS at all.
The reason I ask is, I'm under the impression that a VPN definitively mitigates this kind of attack. I'd have to change my habits if it turns out a VPN is not a one-stop-shop solution for this kind of attack. And, in case convenience matters to you: an enabled-by-default VPN is also less configuration and fewer manual steps than turning on HTTPS everywhere and blocking all unencrypted requests.
I haven't evaluated VPN providers enough to decide if there's one I trust. An evil VPN (or an insecure one taken over by evil people) is in an extremely easy position to MITM my HTTP traffic: it's technically easier than MITMing wifi traffic, and they also know my identity (either because I paid with a real-world identity, or they have logs of where I'm connecting from and what I'm connecting to).
For performance reasons I don't want an always-on VPN; I trust my home wifi, my phone's hotspot, etc. at least as much as I trust any VPN I could use, so I wouldn't get any benefit from it.
I suppose the thing I should actually do is route over an SSH SOCKS tunnel to some server I control, which would work fine.
(A thing I have wanted for a while is a configuration that does this for HTTP and lets HTTPS through normally for performance, which now that I think about it, I can probably just write a proxy PAC file to do ... thanks, I'll see if I can improve my setup.)
> I suppose the thing I should actually do is route over an SSH SOCKS tunnel to some server I control, which would work fine.
This is what I do. The only danger with that over a regular VPN is anything not part of your browsers standard stream will not be sent over the proxy. This includes browser plugins as well. Thankfully Flash and Java are generally disabled by default, but it's still worth baring that limitation in mind.
Despite this, SSH SOCKS is still my preferred method as well.
Keep in mind your browser isn't the only app you're running that makes network connections, and it's not even the only app that makes network connections that runs network-supplied javascript. I wonder how much research has been done into Electron apps like Slack and Whatsapp from a javascript exploit point of view?
I don't run the Electron apps because I just don't trust them - I already have a perfectly good and secure thing for running JS, it's my browser. :-) I agree that they're a huge attack surface.
The only other things that should be making connections are OS update checks, which should be secure already, and an SSH or mosh client.
This works for most things - for a few things I'll open an incognito window in Chrome, which simultaneously turns off extensions and doesn't send my original cookies, and I'll be careful about what I do in that window (certainly no logins to sites I care about). This is generally enough for e.g. reading some random news site that doesn't support HTTPS at all.