What's the best alternative? It's been a while since I used any of them. I checked Tidal recently and it looked like they have an AI slop problem too.

Nobody knows!

From Wikipedia :

Chemical and genomic analyses have shown that the Lanmaoa asiatica does not contain any known psychoactive compounds such as psilocybin or muscimol. It is likely that there remains an unknown hallucinogenic compound yet to be discovered in this species. Chemical analysis of Lanmaoa asiatica has identified numerous compounds and their pharmacological activity has been studied, but as of yet, none of them have been linked to the reported psychoactive effects.

It's not strictly a city-builder, but the PS2's Dark Cloud involved building cities to accommodate all of the inhabitants' requirements. Each city was like a puzzle, where you had to arrange things in a particular way (with some degree of freedom) to avoid conflicts.

Then there's action-RPG combat and dungeons that might not be your style. But it's a really great game. One of these days I really ought to play the sequel.

Yes, everyone should set up DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). You can do this at the browser level, like you just did in Firefox, or at the OS level.

You can also block ads this way, by cutting off connections to known ad domains before they even start. Mullvad runs a free ad-blocking DoH server anyone can use. See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls for instructions on how to set that up on your OS.

Firefox has also just announced a built-in VPN, which could help get around other types of ISP-level censorship. That's probably the only free VPN I'd trust, personally. Mullvad and Proton are well-regarded paid VPNs if you want to go that route.

This would require the server's certificate, which the VPN wouldn't (generally) have access to.

The key part of this is that server certificates are trusted and verifiable. To the extent that's true, the process is secure against man-in-the-middle attacks. That's because the client browser can confirm that the server's certificate is legitimate, and encrypt its own public key with that server's public key, so nobody in the middle can read it.

If a man in the middle replaced the encryption keys with their own, then the client would know about it, because it can verify the server's encryption key and of course it knows its own private key, which has never been transmitted over the wire.

You can read more details on the process here: https://www.ssl.com/article/ssl-tls-handshake-ensuring-secure-online-interactions/

Of course nothing is 100% secure. God only knows how many third parties (like government intelligence agencies) have compromised major certificate authorities. If you have access a certificate authority's private keys, then you can spoof basically anything.

IP addresses do not map to URLs.

They might map to domains, but not necessarily.

The SSL/TLS encryption used on the web is designed to prevent that type of attack. It's called "asymmetric encryption", because a different key is used to encrypt and decrypt data. So each side has both a private and public key. You can broadcast your public key, and then anyone can use it to encrypt a message that only YOU can decrypt, with your private key. The private key never goes over the network, so the VPN provider can't intercept messages meant for you.

It's possible to spoof the server's certificate and make your browser think it's talking to a real server when it's not. However, this is difficult, because certificates follow a chain of trust, so they'd either need to compromise one of the certificate authorities (plausible for state-level actors), or compromise your web browser/OS so that it trusts a fake authority (definitely possible for a browser/OS vendor, but again, it would be noticed, especially in an open-source product like Firefox).

There are lot of enterprise products out there that perform this kind of "attack" so that businesses can monitor their network traffic. They do this by requiring adding their certificate authority to the list of trusted certs in the OS. This is often called "deep packet inspection". If you try to use these products without adding their certs, your browser will throw a fit every time you load a site because it will see that the certificate doesn't match.

Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site's HTTPS encryption. The VPN provider can't replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.

Although...given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.

When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?