Actually, the "HTTPS Everywhere" plugin [1] for firefox and chrome is
an incomplete solution. The reason is simple; not all sites support
HTTPS, so the plain HTTP-only sites are still vulnerable.
Injecting a script into insecure HTTP is just one of many abuses possible
by ISP's. Replacing images on the fly is another. Recompressing (degrading)
images/video is another. Messing with DNS responses is another, and so on...
A far better working solution is to use a VPN service since when it's configured
correctly, it will encrypt all traffic passing through your ISP. Of course, this
is really just moving the trust problem, rather than solving it, but at least using
a VPN service makes it your decision who to trust. I use Tunnelr.com [2] since by
reputation, similar interests, and years of traded emails, I know the people who run it.
Injecting a script into insecure HTTP is just one of many abuses possible by ISP's. Replacing images on the fly is another. Recompressing (degrading) images/video is another. Messing with DNS responses is another, and so on...
A far better working solution is to use a VPN service since when it's configured correctly, it will encrypt all traffic passing through your ISP. Of course, this is really just moving the trust problem, rather than solving it, but at least using a VPN service makes it your decision who to trust. I use Tunnelr.com [2] since by reputation, similar interests, and years of traded emails, I know the people who run it.
[1] https://www.eff.org/https-everywhere
[2] http://tunnelr.com