VPN all the way. I am not about to contemplate whether a CA can get compromised, connection MITM'd etc

As an aside, I do not use VPN, my laptop wears pretty red socks whenever I am not at home but that's probably more problematic to most than running a VPN. ( I have a server I can SSH into and OpenSSH provides SOCKS v5)