From 6c72b4787c4f4811eab754cfd156da0ddd4c01ce Mon Sep 17 00:00:00 2001 From: Crowdin Bot Date: Thu, 17 Apr 2025 15:35:24 +0000 Subject: [PATCH] New Crowdin translations by GitHub Action --- i18n/ar/basics/account-creation.md | 12 +- i18n/ar/basics/email-security.md | 20 +-- i18n/ar/email-aliasing.md | 74 ++++++----- i18n/ar/email-clients.md | 2 +- i18n/ar/email.md | 124 ++++++++++--------- i18n/ar/os/android-overview.md | 6 +- i18n/bn-IN/basics/account-creation.md | 12 +- i18n/bn-IN/basics/email-security.md | 20 +-- i18n/bn-IN/email-aliasing.md | 74 ++++++----- i18n/bn-IN/email-clients.md | 2 +- i18n/bn-IN/email.md | 122 +++++++++--------- i18n/bn-IN/os/android-overview.md | 6 +- i18n/bn/basics/account-creation.md | 12 +- i18n/bn/basics/email-security.md | 20 +-- i18n/bn/email-aliasing.md | 74 ++++++----- i18n/bn/email-clients.md | 2 +- i18n/bn/email.md | 122 +++++++++--------- i18n/bn/os/android-overview.md | 6 +- i18n/cs/basics/account-creation.md | 12 +- i18n/cs/basics/email-security.md | 20 +-- i18n/cs/email-aliasing.md | 74 ++++++----- i18n/cs/email-clients.md | 2 +- i18n/cs/email.md | 122 +++++++++--------- i18n/cs/os/android-overview.md | 6 +- i18n/de/basics/account-creation.md | 12 +- i18n/de/basics/email-security.md | 20 +-- i18n/de/email-aliasing.md | 84 ++++++++----- i18n/de/email-clients.md | 2 +- i18n/de/email.md | 142 ++++++++++----------- i18n/de/os/android-overview.md | 6 +- i18n/el/basics/account-creation.md | 12 +- i18n/el/basics/email-security.md | 20 +-- i18n/el/email-aliasing.md | 74 ++++++----- i18n/el/email-clients.md | 2 +- i18n/el/email.md | 122 +++++++++--------- i18n/el/os/android-overview.md | 6 +- i18n/eo/basics/account-creation.md | 12 +- i18n/eo/basics/email-security.md | 20 +-- i18n/eo/email-aliasing.md | 74 ++++++----- i18n/eo/email-clients.md | 2 +- i18n/eo/email.md | 122 +++++++++--------- i18n/eo/os/android-overview.md | 6 +- i18n/es/basics/account-creation.md | 12 +- i18n/es/basics/email-security.md | 20 +-- i18n/es/email-aliasing.md | 86 +++++++------ i18n/es/email-clients.md | 2 +- i18n/es/email.md | 138 +++++++++++---------- i18n/es/os/android-overview.md | 6 +- i18n/fa/basics/account-creation.md | 12 +- i18n/fa/basics/email-security.md | 20 +-- i18n/fa/email-aliasing.md | 74 ++++++----- i18n/fa/email-clients.md | 2 +- i18n/fa/email.md | 134 ++++++++++---------- i18n/fa/os/android-overview.md | 6 +- i18n/fr/basics/account-creation.md | 12 +- i18n/fr/basics/email-security.md | 20 +-- i18n/fr/email-aliasing.md | 74 ++++++----- i18n/fr/email-clients.md | 2 +- i18n/fr/email.md | 128 +++++++++---------- i18n/fr/os/android-overview.md | 6 +- i18n/he/basics/account-creation.md | 12 +- i18n/he/basics/email-security.md | 20 +-- i18n/he/email-aliasing.md | 74 ++++++----- i18n/he/email-clients.md | 2 +- i18n/he/email.md | 128 +++++++++---------- i18n/he/os/android-overview.md | 6 +- i18n/hi/basics/account-creation.md | 12 +- i18n/hi/basics/email-security.md | 20 +-- i18n/hi/email-aliasing.md | 74 ++++++----- i18n/hi/email-clients.md | 2 +- i18n/hi/email.md | 122 +++++++++--------- i18n/hi/os/android-overview.md | 6 +- i18n/hu/basics/account-creation.md | 12 +- i18n/hu/basics/email-security.md | 20 +-- i18n/hu/email-aliasing.md | 74 ++++++----- i18n/hu/email-clients.md | 2 +- i18n/hu/email.md | 126 +++++++++---------- i18n/hu/os/android-overview.md | 6 +- i18n/id/basics/account-creation.md | 12 +- i18n/id/basics/email-security.md | 20 +-- i18n/id/email-aliasing.md | 74 ++++++----- i18n/id/email-clients.md | 2 +- i18n/id/email.md | 124 ++++++++++--------- i18n/id/os/android-overview.md | 6 +- i18n/it/basics/account-creation.md | 12 +- i18n/it/basics/email-security.md | 20 +-- i18n/it/email-aliasing.md | 74 ++++++----- i18n/it/email-clients.md | 2 +- i18n/it/email.md | 156 +++++++++++------------ i18n/it/os/android-overview.md | 6 +- i18n/ja/basics/account-creation.md | 12 +- i18n/ja/basics/email-security.md | 20 +-- i18n/ja/email-aliasing.md | 74 ++++++----- i18n/ja/email-clients.md | 2 +- i18n/ja/email.md | 130 +++++++++---------- i18n/ja/os/android-overview.md | 6 +- i18n/ko/basics/account-creation.md | 12 +- i18n/ko/basics/email-security.md | 20 +-- i18n/ko/email-aliasing.md | 74 ++++++----- i18n/ko/email-clients.md | 2 +- i18n/ko/email.md | 126 +++++++++---------- i18n/ko/os/android-overview.md | 6 +- i18n/ku-IQ/basics/account-creation.md | 12 +- i18n/ku-IQ/basics/email-security.md | 20 +-- i18n/ku-IQ/email-aliasing.md | 74 ++++++----- i18n/ku-IQ/email-clients.md | 2 +- i18n/ku-IQ/email.md | 122 +++++++++--------- i18n/ku-IQ/os/android-overview.md | 6 +- i18n/nl/basics/account-creation.md | 12 +- i18n/nl/basics/email-security.md | 20 +-- i18n/nl/email-aliasing.md | 74 ++++++----- i18n/nl/email-clients.md | 2 +- i18n/nl/email.md | 126 +++++++++---------- i18n/nl/os/android-overview.md | 6 +- i18n/pl/basics/account-creation.md | 12 +- i18n/pl/basics/email-security.md | 20 +-- i18n/pl/email-aliasing.md | 74 ++++++----- i18n/pl/email-clients.md | 2 +- i18n/pl/email.md | 122 +++++++++--------- i18n/pl/os/android-overview.md | 6 +- i18n/pt-BR/basics/account-creation.md | 12 +- i18n/pt-BR/basics/email-security.md | 20 +-- i18n/pt-BR/email-aliasing.md | 74 ++++++----- i18n/pt-BR/email-clients.md | 2 +- i18n/pt-BR/email.md | 134 ++++++++++---------- i18n/pt-BR/os/android-overview.md | 6 +- i18n/pt/basics/account-creation.md | 12 +- i18n/pt/basics/email-security.md | 20 +-- i18n/pt/email-aliasing.md | 74 ++++++----- i18n/pt/email-clients.md | 2 +- i18n/pt/email.md | 128 +++++++++---------- i18n/pt/os/android-overview.md | 6 +- i18n/ru/basics/account-creation.md | 12 +- i18n/ru/basics/email-security.md | 20 +-- i18n/ru/email-aliasing.md | 74 ++++++----- i18n/ru/email-clients.md | 2 +- i18n/ru/email.md | 128 +++++++++---------- i18n/ru/os/android-overview.md | 6 +- i18n/sv/basics/account-creation.md | 12 +- i18n/sv/basics/email-security.md | 20 +-- i18n/sv/email-aliasing.md | 74 ++++++----- i18n/sv/email-clients.md | 2 +- i18n/sv/email.md | 122 +++++++++--------- i18n/sv/os/android-overview.md | 6 +- i18n/tr/basics/account-creation.md | 12 +- i18n/tr/basics/email-security.md | 20 +-- i18n/tr/email-aliasing.md | 74 ++++++----- i18n/tr/email-clients.md | 2 +- i18n/tr/email.md | 122 +++++++++--------- i18n/tr/os/android-overview.md | 6 +- i18n/uk/basics/account-creation.md | 12 +- i18n/uk/basics/email-security.md | 20 +-- i18n/uk/email-aliasing.md | 74 ++++++----- i18n/uk/email-clients.md | 2 +- i18n/uk/email.md | 124 ++++++++++--------- i18n/uk/os/android-overview.md | 6 +- i18n/vi/basics/account-creation.md | 12 +- i18n/vi/basics/email-security.md | 20 +-- i18n/vi/email-aliasing.md | 74 ++++++----- i18n/vi/email-clients.md | 2 +- i18n/vi/email.md | 122 +++++++++--------- i18n/vi/os/android-overview.md | 6 +- i18n/zh-Hant/basics/account-creation.md | 12 +- i18n/zh-Hant/basics/email-security.md | 20 +-- i18n/zh-Hant/email-aliasing.md | 86 +++++++------ i18n/zh-Hant/email-clients.md | 2 +- i18n/zh-Hant/email.md | 158 ++++++++++++------------ i18n/zh-Hant/os/android-overview.md | 6 +- i18n/zh/basics/account-creation.md | 12 +- i18n/zh/basics/email-security.md | 20 +-- i18n/zh/email-aliasing.md | 74 ++++++----- i18n/zh/email-clients.md | 2 +- i18n/zh/email.md | 124 ++++++++++--------- i18n/zh/os/android-overview.md | 6 +- includes/abbreviations.ar.txt | 39 +++--- includes/abbreviations.bn-IN.txt | 39 +++--- includes/abbreviations.bn.txt | 39 +++--- includes/abbreviations.cs.txt | 39 +++--- includes/abbreviations.de.txt | 39 +++--- includes/abbreviations.el.txt | 39 +++--- includes/abbreviations.eo.txt | 39 +++--- includes/abbreviations.es.txt | 39 +++--- includes/abbreviations.fa.txt | 39 +++--- includes/abbreviations.fr.txt | 39 +++--- includes/abbreviations.he.txt | 39 +++--- includes/abbreviations.hi.txt | 39 +++--- includes/abbreviations.hu.txt | 39 +++--- includes/abbreviations.id.txt | 39 +++--- includes/abbreviations.it.txt | 39 +++--- includes/abbreviations.ja.txt | 39 +++--- includes/abbreviations.ko.txt | 39 +++--- includes/abbreviations.ku-IQ.txt | 39 +++--- includes/abbreviations.nl.txt | 39 +++--- includes/abbreviations.pl.txt | 39 +++--- includes/abbreviations.pt-BR.txt | 39 +++--- includes/abbreviations.pt.txt | 39 +++--- includes/abbreviations.ru.txt | 39 +++--- includes/abbreviations.sv.txt | 39 +++--- includes/abbreviations.tr.txt | 39 +++--- includes/abbreviations.uk.txt | 39 +++--- includes/abbreviations.vi.txt | 39 +++--- includes/abbreviations.zh-Hant.txt | 39 +++--- includes/abbreviations.zh.txt | 39 +++--- 203 files changed, 4458 insertions(+), 3733 deletions(-) diff --git a/i18n/ar/basics/account-creation.md b/i18n/ar/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/ar/basics/account-creation.md +++ b/i18n/ar/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/ar/basics/email-security.md b/i18n/ar/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/ar/basics/email-security.md +++ b/i18n/ar/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/ar/email-aliasing.md b/i18n/ar/email-aliasing.md index bc73aeb2..88f7f72d 100644 --- a/i18n/ar/email-aliasing.md +++ b/i18n/ar/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## موفِّرو الخدمة الموصى بهم
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/ar/email-clients.md b/i18n/ar/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/ar/email-clients.md +++ b/i18n/ar/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/ar/email.md b/i18n/ar/email.md index 7a7640d9..0c389cd6 100644 --- a/i18n/ar/email.md +++ b/i18n/ar/email.md @@ -22,19 +22,19 @@ global: خلا ذلك فنوصي بعدد من موفِّري خدمة البريد الإلكتروني، وذلك حسب استدامة نموذجات عملهم وأمنهم ومزايا الخصوصية عندهم. للمزيد من المعلومات، اطلع على [قائمة المعايير](#criteria). -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [بريد بروتون](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [بريد بروتون](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## الخدمات الداعمة لأوبن‌بي‌جي‌بي -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. فمثلًا: باستطاعة مستخدم بريد بروتون إرسال رسالة معمَّاة بين الأطراف، وكون المستقبل مستخدم Mailbox.org، أو لك استقبال إشعارات معمَّاةً بأوبن‌بي‌جي‌بي من خدمات الإنترنت الداعمة له. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. فمثلًا: باستطاعة مستخدم بريد بروتون إرسال رسالة معمَّاة بين الأطراف، وكون المستقبل مستخدم Mailbox.org، أو لك استقبال إشعارات معمَّاةً بأوبن‌بي‌جي‌بي من خدمات الإنترنت الداعمة له.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=left } -**بريد بروتون** هو خدمة بُرُد إلكترونية تركِّز في الخصوصية والتعمية والأمن واليسر. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**بريد بروتون** هو خدمة بُرُد إلكترونية تركِّز في الخصوصية والتعمية والأمن واليسر. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -للحسابات المجانية قيود، كعجزهم عن البحث في النصوص وعدم استخدام [جسر بريد بروتون](https://proton.me/mail/bridge)، وتحتاجه إن أردت استخدام [أحد برامج البريد في سطح المكتب الموصى بها](email-clients.md) (مثل ثندربرد). لمن اشترك في حساب عند بريد بروتون مزايا، مثل جسر بريد بروتون ومساحة تخزين إضافية ودعم أسماء النطاق المخصَّصة. أعطت [سكيورتم](https://research.securitum.com) [شهادةً](https://proton.me/blog/security-audit-all-proton-apps) لتطبيقات بريد بروتون في التاسع من نوفمبر عام ٢٠٢١. +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). لمن اشترك في حساب عند بريد بروتون مزايا، مثل جسر بريد بروتون ومساحة تخزين إضافية ودعم أسماء النطاق المخصَّصة. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +أعطت [سكيورتم](https://research.securitum.com) [شهادةً](https://proton.me/blog/security-audit-all-proton-apps) لتطبيقات بريد بروتون في التاسع من نوفمبر عام ٢٠٢١. Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green } سُبُل الدفع الخاصَّة -[يقبل](https://proton.me/support/payment-options) بريد بروتون الدفع نقدًا عن طريق البريد، ويقبل كذلك الدفع ببطاقات الائتمان والبطاقات المصرفية [وبتكوين](advanced/payments.md#other-coins-bitcoin-ethereum-etc) وبي‌بال. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } أمن الحساب @@ -109,7 +113,7 @@ Proton Mail supports TOTP [two-factor authentication](https://proton.me/support/ عند بريد بروتون [دعم مدمج لتعمية أوبن‌بي‌جي‌بي](https://proton.me/support/how-to-use-pgp) في صفحة البريد. تعمَّى الرسائل المرسلة لحسابات بريد بروتون الأخرى تلقائيًّا، ولك تمكين تعمية أوبن‌بي‌جي‌بي لعناوين البريد خارج بروتون في إعدادات حسابك. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. ويتيح هذا لمن ليس عنده بريد بروتون العثور على مفاتيح أوبن‌بي‌جي‌بي لحسابات بريد بروتون بسهولة، وذلك لتمكين التعمية بين الأطراف بين موفِّري خدمة البريد الإلكترونيِّ. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } إنهاء الحسابات @@ -117,17 +121,17 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } وظائف إضافية -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -ليس عند بريد بروتون ميزة الإرث الرقميِّ. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=left } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** هو خدمة بريد إلكترونيٍّ تركِّز على الأمن والخلوِّ من الإعلانات، وهي تستلم طاقتها من مصادر خاصَّة ١٠٠٪ صديقة للبيئة. وهم يعملون منذ ٢٠١٤. ومقرُّهم في برلين في ألمانيا. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. وهم يعملون منذ ٢٠١٤. ومقرُّهم في برلين في ألمانيا. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } سُبُل الدفع الخاصَّة -لا تقبل Mailbox.org الدفع باستخدام العملات المعمَّاة، وسبب ذلك أن معالج دفعهم، بِت‌بَي، علَّق عملياته في ألمانيا. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +لا تقبل Mailbox.org الدفع باستخدام العملات المعمَّاة، وسبب ذلك أن معالج دفعهم، بِت‌بَي، علَّق عملياته في ألمانيا. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } أمن الحساب -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). بعض معايير الوِب مثل [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ليست مدعومةً بعد. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } أمن البيانات Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). تعمَّى الرسائل الواردة باستخدام مفتاحك العامِّ فورًا. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. لعلَّ [خيارًا مستقلًّا](calendar.md) أفضل لهذه المعلومات. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } تعمية البريد الإلكتروني Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. فائدة هذا تظهر في حال كان المستقبل ليس لديه أوبن‌بي‌جي‌بي ولا يستطيع كشف تعمية نسخة من الرسالة في صندوق بريده. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. ويتيح هذا لمن ليس عنده Mailbox.org العثور على مفاتيح أوبن‌بي‌جي‌بي لحسابات Mailbox.org بسهولة، وذلك لتمكين التعمية بين الأطراف بين موفِّري خدمة البريد الإلكترونيِّ. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } إنهاء الحسابات @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. تدعم Mailbox.org [إكستشينج-أكتف‌سنك](https://en.wikipedia.org/wiki/Exchange_ActiveSync)، وكذلك تدعم معايير الوصول القياسية مثل IMAP و POP3. -عند Mailbox.org ميزة الإرث الرقميِّ لكلِّ الاشتراكات. فبوسعك اختيار ما إن أردت أن تورِّث أيَّ بيانات لك، وذلك إن سجَّل ذلك ورثاؤك وشهدت بذلك. غير ذلك فيمكنك ترشيح شخص باسمه وعنوانه. +عند Mailbox.org ميزة الإرث الرقميِّ لكلِّ الاشتراكات. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. غير ذلك فيمكنك ترشيح شخص باسمه وعنوانه. ## مقدِّموا خدمة آخرون @@ -195,7 +199,9 @@ All accounts come with limited cloud storage that [can be encrypted](https://kb. ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } سُبُل الدفع الخاصَّة -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } أمن الحساب @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } أمن البيانات -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). ويعني هذا أن الرسائل والبيانات المخزَّنة في حسابك لا يقرؤها إلا أنت. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). ويعني هذا أن الرسائل والبيانات المخزَّنة في حسابك لا يقرؤها إلا أنت. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/ar/os/android-overview.md b/i18n/ar/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/ar/os/android-overview.md +++ b/i18n/ar/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/bn-IN/basics/account-creation.md b/i18n/bn-IN/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/bn-IN/basics/account-creation.md +++ b/i18n/bn-IN/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/bn-IN/basics/email-security.md b/i18n/bn-IN/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/bn-IN/basics/email-security.md +++ b/i18n/bn-IN/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/bn-IN/email-aliasing.md b/i18n/bn-IN/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/bn-IN/email-aliasing.md +++ b/i18n/bn-IN/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/bn-IN/email-clients.md b/i18n/bn-IN/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/bn-IN/email-clients.md +++ b/i18n/bn-IN/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/bn-IN/email.md b/i18n/bn-IN/email.md index e2054402..ae8b4023 100644 --- a/i18n/bn-IN/email.md +++ b/i18n/bn-IN/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/bn-IN/os/android-overview.md b/i18n/bn-IN/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/bn-IN/os/android-overview.md +++ b/i18n/bn-IN/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/bn/basics/account-creation.md b/i18n/bn/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/bn/basics/account-creation.md +++ b/i18n/bn/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/bn/basics/email-security.md b/i18n/bn/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/bn/basics/email-security.md +++ b/i18n/bn/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/bn/email-aliasing.md b/i18n/bn/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/bn/email-aliasing.md +++ b/i18n/bn/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/bn/email-clients.md b/i18n/bn/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/bn/email-clients.md +++ b/i18n/bn/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/bn/email.md b/i18n/bn/email.md index e2054402..ae8b4023 100644 --- a/i18n/bn/email.md +++ b/i18n/bn/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/bn/os/android-overview.md b/i18n/bn/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/bn/os/android-overview.md +++ b/i18n/bn/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/cs/basics/account-creation.md b/i18n/cs/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/cs/basics/account-creation.md +++ b/i18n/cs/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/cs/basics/email-security.md b/i18n/cs/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/cs/basics/email-security.md +++ b/i18n/cs/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/cs/email-aliasing.md b/i18n/cs/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/cs/email-aliasing.md +++ b/i18n/cs/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/cs/email-clients.md b/i18n/cs/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/cs/email-clients.md +++ b/i18n/cs/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/cs/email.md b/i18n/cs/email.md index e2054402..ae8b4023 100644 --- a/i18n/cs/email.md +++ b/i18n/cs/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/cs/os/android-overview.md b/i18n/cs/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/cs/os/android-overview.md +++ b/i18n/cs/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/de/basics/account-creation.md b/i18n/de/basics/account-creation.md index f6be1bf0..ac57eb45 100644 --- a/i18n/de/basics/account-creation.md +++ b/i18n/de/basics/account-creation.md @@ -42,7 +42,7 @@ Du bist für die Verwaltung deiner Anmeldedaten verantwortlich. Für zusätzlich #### E-Mail-Aliasse -Wenn du deine echte E-Mail-Adresse nicht an einen Dienst weitergeben möchtest, hast du die Möglichkeit, einen Alias zu verwenden. Wir haben diese auf unserer Empfehlungsseite für E-Mail-Dienste näher beschrieben. Im Grunde erlauben dir Alias-Dienste neue E-Mail-Adressen zu generieren, die alle E-Mails an deine Hauptadresse weiterleiten. Dies kann dazu beitragen, die Nachverfolgung über verschiedene Dienste hinweg zu verhindern und die Marketing-E-Mails zu verwalten, die manchmal mit dem Anmeldeprozess einhergehen. Diese können automatisch anhand des Alias gefiltert werden, an den sie gesendet werden. +Wenn du deine echte E-Mail-Adresse nicht an einen Dienst weitergeben möchtest, hast du die Möglichkeit, einen Alias zu verwenden. We describe them in more detail on our email services recommendation page. Im Grunde erlauben dir Alias-Dienste neue E-Mail-Adressen zu generieren, die alle E-Mails an deine Hauptadresse weiterleiten. Dies kann dazu beitragen, die Nachverfolgung über verschiedene Dienste hinweg zu verhindern und die Marketing-E-Mails zu verwalten, die manchmal mit dem Anmeldeprozess einhergehen. Diese können automatisch anhand des Alias gefiltert werden, an den sie gesendet werden. Sollte ein Dienst gehackt werden, erhältst du möglicherweise Phishing- oder Spam-E-Mails an die Adresse, die du für die Anmeldung verwendet hast. Die Verwendung eindeutiger Aliasnamen für jeden Dienst kann dabei helfen, genau festzustellen, welcher Dienst gehackt wurde. @@ -50,19 +50,19 @@ Sollte ein Dienst gehackt werden, erhältst du möglicherweise Phishing- oder Sp ### "Anmelden mit ..." (OAuth) -OAuth ist ein Authentifizierungsprotokoll, das es dir ermöglicht, dich für einen Dienst anzumelden, ohne viele Informationen an den Dienstanbieter weiterzugeben, indem du stattdessen ein bestehendes Konto bei einem anderen Dienst verwendest. Wenn du in einem Registrierungsformular etwas wie "Mit *Anbietername* anmelden" siehst, wird in der Regel OAuth verwendet. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Wenn du in einem Registrierungsformular etwas wie "Mit *Anbietername* anmelden" siehst, wird in der Regel OAuth verwendet. Wenn du dich mit OAuth anmeldest, wird eine Anmeldeseite bei dem von dir gewählten Anbieter geöffnet, und dein bestehendes Konto und das neue Konto werden miteinander verbunden. Dein Passwort wird nicht weitergegeben, wohl aber einige grundlegende Informationen (die du bei der Anmeldeanfrage einsehen kannst). Dieser Vorgang ist jedes Mal erforderlich, wenn du dich bei demselben Konto anmelden möchtest. Die wichtigsten Vorteile sind: -- **Sicherheit**: Du musst dich nicht auf die Sicherheitspraktiken des Dienstes verlassen, bei dem du dich anmeldest, wenn es um die Speicherung deiner Anmeldedaten geht, da diese bei einem externen OAuth-Anbieter gespeichert werden. Diese Dienste, wie Apple und Google, wenden in der Regel die besten Sicherheitspraktiken an, Authentifizierungssysteme werden kontinuierlich überprüft und Anmeldedaten nicht in unangemessener Weise (z. B. im Klartext) gespeichert. -- **Benutzerfreundlichkeit**: Mehrere Konten werden über ein einziges Login verwaltet. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Aber es gibt auch Nachteile: -- **Privatsphäre**: Der OAuth-Anbieter, bei dem du dich anmeldest, weiß, welche Dienste du nutzt. -- **Zentralisierung**: Wenn das Konto, das du für OAuth verwendest, kompromittiert wird oder du nicht in der Lage bist, dich bei diesem anzumelden, sind alle anderen Konten, die mit dem Account verbunden sind, betroffen. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth kann besonders in Situationen nützlich sein, in denen du von einer tieferen Integration zwischen Diensten profitieren kannst. Wir empfehlen, OAuth nur dort zu verwenden, wo du es brauchst, und das Hauptkonto immer mit [MFA](multi-factor-authentication.md) zu schützen. diff --git a/i18n/de/basics/email-security.md b/i18n/de/basics/email-security.md index 074f28a2..37b7a1a7 100644 --- a/i18n/de/basics/email-security.md +++ b/i18n/de/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -E-Mail ist von Natur aus eine unsichere Form der Kommunikation. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +E-Mail ist von Natur aus eine unsichere Form der Kommunikation. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Daher sind E-Mails am besten geeignet, um Transaktions-E-Mails (wie Benachrichtigungen, Bestätigungs-E-Mails, Passwortrücksetzungen usw.) von den Online-Diensten zu empfangen, für die du dich anmeldest, und nicht für die Kommunikation mit anderen. ## Übersicht zur E-Mail-Verschlüsselung -Die Standardmethode zum Hinzufügen von E2EE zu E-Mails zwischen verschiedenen E-Mail-Anbietern ist die Verwendung von OpenPGP. Es gibt verschiedene Implementierungen des OpenPGP-Standards, die bekanntesten sind [GnuPG](https://de.wikipedia.org/wiki/GNU_Privacy_Guard) und [OpenPGP.js](https://openpgpjs.org). +Die Standardmethode zum Hinzufügen von E2EE zu E-Mails zwischen verschiedenen E-Mail-Anbietern ist die Verwendung von OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Selbst wenn du OpenPGP verwendest, unterstützt es keine [Forward Secrecy](https://de.wikipedia.org/wiki/Perfect_Forward_Secrecy), d. h. wenn entweder dein privater Schlüssel oder der des Empfängers gestohlen wird, sind alle vorherigen Nachrichten, die damit verschlüsselt wurden, offengelegt. Aus diesem Grund empfehlen wir [Instant Messenger](../real-time-communication.md) mit Forward Secrecy, für persönliche Kommunikation, wann immer möglich, anstelle von E-Mails. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Aus diesem Grund empfehlen wir [Instant Messenger](../real-time-communication.md) mit Forward Secrecy, für persönliche Kommunikation, wann immer möglich, anstelle von E-Mails. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Was ist der Web Key Directory Standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email Neben den [von uns empfohlenen E-Mail-Clients](../email-clients.md), die WKD unterstützen, gibt es auch einige Webmail-Anbieter, die WKD unterstützen. Ob *dein eigener* Schlüssel für andere bei WKD veröffentlicht wird, hängt von deiner Domainkonfiguration ab. Verwendest du einen [E-Mail-Anbieter](../email.md#openpgp-compatible-services), der WKD unterstützt, wie z. B. Proton Mail oder Mailbox.org, können diese deinen OpenPGP-Schlüssel auf ihrer Domain für dich veröffentlichen. -Um deine eigene Domain zu verwenden, musst du WKD separat konfigurieren. Kontrollierst du deinen Domainnamen, kannst du WKD unabhängig von deinem E-Mail-Anbieter einrichten. Eine einfach Möglichkeit das zu tun, ist die Nutzung der Funktion „[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)“ von keys.openpgp.org, indem du einen CNAME-Eintrag auf der `openpgpkey-Subdomain` deiner Domain setzt, der auf `wkd.keys.openpgp.org` zeigt, und dann deinen Schlüssel auf [keys.openpgp.org](https://keys.openpgp.org) hochlädst. Alternativ kannst du [WKD selbst auf deinem Webserver hosten](https://wiki.gnupg.org/WKDHosting). +Um deine eigene Domain zu verwenden, musst du WKD separat konfigurieren. Kontrollierst du deinen Domainnamen, kannst du WKD unabhängig von deinem E-Mail-Anbieter einrichten. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternativ kannst du [WKD selbst auf deinem Webserver hosten](https://wiki.gnupg.org/WKDHosting). -Wenn du eine gemeinsam genutzte Domain eines Anbieters verwendest, welcher WKD nicht unterstützt, wie z.B. @gmail.com, kannst du deinen OpenPGP-Schlüssel auf diese Weise nicht mit anderen teilen. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Welche E-Mail-Clients unterstützen E2EE? -E-Mail-Anbieter, die dir die Verwendung von Standard-Zugriffsprotokollen wie IMPA und SMTP ermöglichen, können mit jedem der [von uns empfohlenen E-Mail-Clients](../email-clients.md) verwendet werden. Abhängig von der Authentisierungsmethode kann dies zu einer Verringerung der Sicherheit führen, wenn entweder der Anbieter oder der E-Mail-Client OATH oder eine Bridge-Anwendung nicht unterstützt, da eine [Multi-Faktor-Authentisierung](multi-factor-authentication.md) mit einer reinen Passwort-Authentisierung nicht möglich ist. +E-Mail-Anbieter, die dir die Verwendung von Standard-Zugriffsprotokollen wie IMPA und SMTP ermöglichen, können mit jedem der [von uns empfohlenen E-Mail-Clients](../email-clients.md) verwendet werden. Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Wie schütze ich meine privaten Schlüssel? @@ -39,14 +39,14 @@ Es ist vorteilhaft, wenn die Entschlüsselung auf der Smartcard erfolgt, um zu v ## Übersicht über E-Mail-Metadaten -E-Mail-Metadaten werden in dem [Header-Abschnitt](https://de.wikipedia.org/wiki/Header_(E-Mail)) der E-Mail gespeichert und enthalten einige sichtbare Header-Zeilen, die du vielleicht schon gesehen hast, wie z. B.: `An`, `Von`, `Cc`, `Datum`, `Betreff`. Viele E-Mail-Clients und -Anbieter fügen außerdem eine Reihe von versteckten Header-Zeilen hinzu, die Informationen über dein Konto preisgeben können. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Viele E-Mail-Clients und -Anbieter fügen außerdem eine Reihe von versteckten Header-Zeilen hinzu, die Informationen über dein Konto preisgeben können. E-Mail-Programm können Metadaten verwenden, um anzuzeigen, von wem eine Nachricht stammt und wann sie empfangen wurde. Server können sie verwenden, um zu bestimmen, wohin eine E-Mail gesendet werden muss, neben [anderen Zwecken](https://de. wikipedia. org/wiki/Header_(E-Mail)), die nicht immer transparent sind. ### Wer kann E-Mail-Metadaten einsehen? -Die E-Mail-Metadaten sind mit [Opportunistic TLS](https://de.wikipedia.org/wiki/Opportunistic_TLS) (dt.: STARTTLS) vor externen Beobachtern geschützt, können aber dennoch von deinem E-Mail-Client-Programm (oder Webmail) und allen Servern, die die Nachricht von dir an beliebige Empfänger weiterleiten, einschließlich deines E-Mail-Anbieters, eingesehen werden. Manchmal verwenden E-Mail-Server auch Dienste von Drittanbietern zum Schutz vor Spam, die in der Regel auch Zugang zu deinen Nachrichten haben. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Manchmal verwenden E-Mail-Server auch Dienste von Drittanbietern zum Schutz vor Spam, die in der Regel auch Zugang zu deinen Nachrichten haben. ### Warum können Metadaten nicht E2EE werden? -E-Mail-Metadaten sind entscheidend für die grundlegenden Funktionen von E-Mails (woher sie kommen und wohin sie gehen sollen). E2EE war ursprünglich nicht in den E-Mail-Protokollen enthalten, sondern erfordert zusätzliche Software wie OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +E-Mail-Metadaten sind entscheidend für die grundlegenden Funktionen von E-Mails (woher sie kommen und wohin sie gehen sollen). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/de/email-aliasing.md b/i18n/de/email-aliasing.md index ba2e72fe..281188fe 100644 --- a/i18n/de/email-aliasing.md +++ b/i18n/de/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Überwachungskapitalismus](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -Mit einem **E-Mail-Aliasing-Dienst** kannst du für jede Website, für die du dich anmeldest, ganz einfach eine neue E-Mail-Adresse generieren. Die von dir erstellten E-Mail-Aliase werden dann an eine E-Mail-Adresse deiner Wahl weitergeleitet, wobei sowohl deine "Haupt"-E-Mail-Adresse als auch die Identität deines [E-Mail-Anbieters](email.md) verborgen bleiben. Echtes E-Mail-Aliasing ist besser als die von vielen Providern verwendete und unterstützte Plus-Adressierung, mit der du Aliase wie "meinname+[irgendwashier]@beispiel.com" erstellen kannst, da Websites, Werbetreibende und Tracking-Netzwerke alles nach dem "+"-Zeichen ganz einfach entfernen können. Organisationen wie das [IAB](https://de.wikipedia.org/wiki/Interactive_Advertising_Bureau) verlangen, dass Werbetreibende [E-Mail-Adressen normalisieren](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them), damit sie korreliert und nachverfolgt werden können, ohne Rücksicht auf die Datenschutzwünsche der Nutzer. +Mit einem **E-Mail-Aliasing-Dienst** kannst du für jede Website, für die du dich anmeldest, ganz einfach eine neue E-Mail-Adresse generieren. Die von dir erstellten E-Mail-Aliase werden dann an eine E-Mail-Adresse deiner Wahl weitergeleitet, wobei sowohl deine "Haupt"-E-Mail-Adresse als auch die Identität deines [E-Mail-Anbieters](email.md) verborgen bleiben. + +Das E-Mail-Aliasing kann auch als Schutz dienen, falls dein E-Mail-Anbieter einmal seinen Betrieb einstellt. In diesem Fall kannst du deine Aliase einfach an eine neue E-Mail-Adresse weiterleiten. Im Gegenzug vertraust du jedoch darauf, dass der Aliasing-Dienst weiterhin funktioniert. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +Echtes E-Mail-Aliasing ist besser als die von vielen Providern verwendete und unterstützte Plus-Adressierung, mit der du Aliase wie "meinname+[irgendwashier]@beispiel.com" erstellen kannst, da Websites, Werbetreibende und Tracking-Netzwerke alles nach dem "+"-Zeichen ganz einfach entfernen können. Organisationen wie das [IAB](https://de.wikipedia.org/wiki/Interactive_Advertising_Bureau) verlangen, dass Werbetreibende [E-Mail-Adressen normalisieren](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them), damit sie korreliert und nachverfolgt werden können, ohne Rücksicht auf die Datenschutzwünsche der Nutzer. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliasnamen können bei Bedarf individuell ein- und ausgeschaltet werden, um zu verhindern, dass Websites wahllos E-Mails an dich senden. +- Die Antworten werden von der Alias-Adresse gesendet, sodass deine echte E-Mail-Adresse verborgen bleibt. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliase sind dauerhaft und können wieder aktiviert werden, wenn du z. B. ein neues Kennwort erhalten musst. +- E-Mails werden an dein vertrauenswürdiges Postfach gesendet und nicht beim Alias-Anbieter gespeichert. +- Temporäre E-Mail-Dienste haben in der Regel öffentliche Postfächer, auf die jeder zugreifen kann, der die Adresse kennt, während Aliase privat sind. + +## Empfohlene DNS-Anbieter
@@ -19,20 +46,7 @@ Mit einem **E-Mail-Aliasing-Dienst** kannst du für jede Website, für die du di
-Das E-Mail-Aliasing kann auch als Schutz dienen, falls dein E-Mail-Anbieter einmal seinen Betrieb einstellt. In diesem Fall kannst du deine Aliase einfach an eine neue E-Mail-Adresse weiterleiten. Im Gegenzug vertraust du jedoch darauf, dass der Aliasing-Dienst weiterhin funktioniert. - -Die Verwendung eines speziellen E-Mail-Aliasdienstes hat auch eine Reihe von Vorteilen gegenüber einem Catch-All-Alias auf einer benutzerdefinierten Domäne: - -- Aliasnamen können bei Bedarf individuell ein- und ausgeschaltet werden, um zu verhindern, dass Websites wahllos E-Mails an dich senden. -- Die Antworten werden von der Alias-Adresse gesendet, sodass deine echte E-Mail-Adresse verborgen bleibt. - -Sie haben auch eine Reihe von Vorteilen gegenüber "temporären E-Mail-Diensten": - -- Aliase sind dauerhaft und können wieder aktiviert werden, wenn du z. B. ein neues Kennwort erhalten musst. -- E-Mails werden an dein vertrauenswürdiges Postfach gesendet und nicht beim Alias-Anbieter gespeichert. -- Temporäre E-Mail-Dienste haben in der Regel öffentliche Postfächer, auf die jeder zugreifen kann, der die Adresse kennt, während Aliase privat sind. - -Unsere E-Mail-Aliasing-Empfehlungen beziehen sich auf Provider, die es dir ermöglichen, gegen eine geringe Jahresgebühr Aliase für die von ihnen kontrollierten Domains sowie für deine eigene(n) benutzerdefinierte(n) Domain(s) zu erstellen. Sie können auch selbst gehostet werden, für maximale Kontrolle. Die Verwendung einer benutzerdefinierten Domain kann jedoch datenschutzbezogene Nachteile haben: Wenn du die einzige Person bist, die deine benutzerdefinierte Domain verwendet, können deine Aktionen auf verschiedenen Websites leicht nachverfolgt werden, indem einfach der Domainname in der E-Mail-Adresse betrachtet und alles vor dem @-Zeichen ignoriert wird. +Unsere E-Mail-Aliasing-Empfehlungen beziehen sich auf Provider, die es dir ermöglichen, gegen eine geringe Jahresgebühr Aliase für die von ihnen kontrollierten Domains sowie für deine eigene(n) benutzerdefinierte(n) Domain(s) zu erstellen. Sie können auch selbst gehostet werden, für maximale Kontrolle. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Die Verwendung eines Alias-Dienstes setzt voraus, dass du sowohl deinem E-Mail-Anbieter als auch deinem Alias-Anbieter deine unverschlüsselten Nachrichten anvertraust. Einige Anbieter entschärfen dieses Problem teils durch automatische PGP-Verschlüsselung[^1], bei der die Anzahl der Parteien, denen du vertrauen musst, von zwei auf eine reduziert wird, indem eingehende E-Mails verschlüsselt werden, bevor sie an deinen endgültigen Mailbox-Anbieter übermittelt werden. @@ -42,29 +56,31 @@ Die Verwendung eines Alias-Dienstes setzt voraus, dass du sowohl deinem E-Mail-A ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } -[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Datenschutzerklärung" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Dokumentation} -[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Quellcode" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Spenden } +[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/de/firefox/addon/addy_io/) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -Du kannst unbegrenzt viele Standard-Aliase erstellen, die auf eine Domain wie @[Benutzername].addy.io oder eine benutzerdefinierte Domain bei kostenpflichtigen Tarifen enden. Wie bereits erwähnt, kann sich dies jedoch nachteilig auf deine Privatsphäre auswirken, da andere Personen deine Standard-Aliasnamen allein aufgrund des Domainnamens trivialerweise miteinander verknüpfen können. Standard Aliase sind sinnvoll, wenn geteilte Domains von einer Website geblockt werden. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. Wie bereits erwähnt, kann sich dies jedoch nachteilig auf deine Privatsphäre auswirken, da andere Personen deine Standard-Aliasnamen allein aufgrund des Domainnamens trivialerweise miteinander verknüpfen können. Standard Aliase sind sinnvoll, wenn geteilte Domains von einer Website geblockt werden. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Bemerkenswerte kostenlose Funktionen: @@ -84,10 +100,10 @@ Wenn du dein Abonnement kündigst, stehen dir die Funktionen deines bezahlten Ta **SimpleLogin** ist ein kostenloser Dienst, der E-Mail-Aliase für eine Vielzahl von gemeinsam genutzten Domainnamen bereitstellt und optional kostenpflichtige Funktionen wie unbegrenzte Aliase und benutzerdefinierte Domains bietet. -[:octicons-home-16: Homepage](https://simplelogin.io/de/){ .md-button .md-button--primary } -[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Datenschutzerklärung" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Dokumentation} -[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Quellcode" } +[:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
<0>Downloads @@ -97,18 +113,18 @@ Wenn du dein Abonnement kündigst, stehen dir die Funktionen deines bezahlten Ta - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/de/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff?hl=de-DE) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin wurde [von der Proton AG übernommen](https://proton.me/news/proton-and-simplelogin-join-forces), stand 8. April 2022. Wenn du Proton Mail für deine primäre Mailbox verwendest, ist SimpleLogin eine gute Wahl. Da beide Produkte nun demselben Unternehmen gehören, musst du nur noch einer Partei vertrauen. Wir gehen außerdem davon aus, dass SimpleLogin in Zukunft enger mit den Angeboten von Proton integriert werden wird. SimpleLogin unterstützt weiterhin die Weiterleitung an einen E-Mail-Anbieter deiner Wahl. Securitum [auditierte](https://simplelogin.io/blog/security-audit) SimpleLogin Anfang 2022 und alle Probleme [wurden behoben](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin wurde [von der Proton AG übernommen](https://proton.me/news/proton-and-simplelogin-join-forces), stand 8. April 2022. Wenn du Proton Mail für deine primäre Mailbox verwendest, ist SimpleLogin eine gute Wahl. Da beide Produkte nun demselben Unternehmen gehören, musst du nur noch einer Partei vertrauen. Wir gehen außerdem davon aus, dass SimpleLogin in Zukunft enger mit den Angeboten von Proton integriert werden wird. SimpleLogin unterstützt weiterhin die Weiterleitung an einen E-Mail-Anbieter deiner Wahl. -Du kannst dein SimpleLogin-Konto in den Einstellungen mit deinem Proton-Konto verknüpfen. Wenn du Proton Pass Plus, Proton Unlimited oder einen anderen Proton Multi-User-Tarif hast, erhältst du SimpleLogin Premium kostenlos. +Du kannst dein SimpleLogin-Konto in den Einstellungen mit deinem Proton-Konto verknüpfen. Wenn du Proton Pass Plus, Proton Unlimited oder einen anderen Proton Multi-User-Tarif hast, erhältst du SimpleLogin Premium kostenlos. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -Du kannst auch einen Gutscheincode für SimpleLogin Premium anonym über den offiziellen Reseller [ProxyStore](https://simplelogin.io/faq) kaufen. +Securitum [auditierte](https://simplelogin.io/blog/security-audit) SimpleLogin Anfang 2022 und alle Probleme [wurden behoben](https://simplelogin.io/audit2022/web.pdf). Bemerkenswerte kostenlose Funktionen: @@ -121,6 +137,6 @@ Wenn dein Abonnement endet, können alle von dir erstellten Aliase weiterhin E-M ## Kriterien -**Bitte beachte, dass wir mit keinem der von uns empfohlenen Anbieter verbunden sind.** Zusätzlich zu [unseren Standardkriterien](about/criteria.md) bewerten wir E-Mail-Alias-Anbieter nach denselben Standards wie bei unseren regulären [E-Mail-Anbieter-Kriterien](email.md#criteria), sofern anwendbar. Wir empfehlen, sich mit dieser Liste vertraut zu machen, bevor du dich für einen E-Mail-Dienst entscheidest, und deine eigenen Nachforschungen anstellst, um sicherzustellen, dass der gewählte Anbieter die richtige Wahl für dich ist. +**Bitte beachte, dass wir mit keinem der von uns empfohlenen Anbieter verbunden sind.** Zusätzlich zu [unseren Standardkriterien](about/criteria.md) bewerten wir E-Mail-Alias-Anbieter nach denselben Standards wie bei unseren regulären [E-Mail-Anbieter-Kriterien](email.md#criteria), sofern anwendbar. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Mit der automatischen PGP-Verschlüsselung kannst du unverschlüsselte eingehende E-Mails verschlüsseln, bevor sie an dein Postfach weitergeleitet werden, sodass dein primärer Mail-Anbieter niemals unverschlüsselte E-Mail-Inhalte sieht. diff --git a/i18n/de/email-clients.md b/i18n/de/email-clients.md index 3a006861..a14dcda1 100644 --- a/i18n/de/email-clients.md +++ b/i18n/de/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Diensteanbieter](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/de/email.md b/i18n/de/email.md index 9abc1367..04c1a6ff 100644 --- a/i18n/de/email.md +++ b/i18n/de/email.md @@ -22,19 +22,19 @@ E-Mail ist praktisch eine Voraussetzung für die Nutzung aller Online-Dienste, w Für alles andere empfehlen wir eine Reihe von E-Mail-Anbietern, die auf nachhaltigen Geschäftsmodellen basieren und integrierte Sicherheits- und Datenschutzfunktionen bieten. Weitere Informationen findest du in unserem [vollständigen Kriterienkatalog](#criteria). -| Anbieter | OpenPGP / WKD | IMAP / SMTP | Null-Zugriff-Verschlüsselung | Anonyme Zahlungen | -| --------------------------- | -------------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------- | ----------------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Nur kostenpflichtige Pläne | :material-check:{ .pg-green } | Bargeld | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Nur Mail | Bargeld | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Bargeld über Drittanbieter | +| Anbieter | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Nur kostenpflichtige Pläne | :material-check:{ .pg-green } | Bargeld | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Nur Mail | Bargeld | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -Zusätzlich zu (oder anstelle von) einem hier empfohlenen E-Mail-Anbieter kannst du einen speziellen [E-Mail-Aliasing-Dienst](email-aliasing.md) in Betracht ziehen, um deine Privatsphäre zu schützen. Diese Dienste können unter anderem dazu beitragen, deinen echten Posteingang vor Spam zu schützen, zu verhindern, dass Vermarkter deine Konten miteinander in Verbindung bringen, und alle eingehenden Nachrichten mit PGP zu verschlüsseln. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Diese Dienste können unter anderem dazu beitragen, deinen echten Posteingang vor Spam zu schützen, zu verhindern, dass Vermarkter deine Konten miteinander in Verbindung bringen, und alle eingehenden Nachrichten mit PGP zu verschlüsseln. - [Weitere Informationen :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP-kompatible Dienste -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Zum Beispiel können Kunden von Proton Mail eine E2EE-Nachricht an Kunden von Mailbox.org senden oder sie können OpenPGP-verschlüsselte Benachrichtigungen von Internetdiensten erhalten, die dies unterstützen. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Zum Beispiel können Kunden von Proton Mail eine E2EE-Nachricht an Kunden von Mailbox.org senden oder sie können OpenPGP-verschlüsselte Benachrichtigungen von Internetdiensten erhalten, die dies unterstützen.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Wenn du eine E2EE-Technologie wie OpenPGP verwendest, enthält deine E-Mail immer noch einige unverschlüsselte Metadaten im Header bzw. Quelltext der E-Mail, einschließlich der Betreffzeile! Lies mehr über [E-Mail-Metadaten](basics/email-security.md#email-metadata-overview). -OpenPGP unterstützt auch keine Forward Secrecy. Das heißt, wenn entweder dein privater Schlüssel oder der des Empfängers gestohlen wird, sind alle vorher damit verschlüsselten Nachrichten offen. [Wie schütze ich meine privaten Schlüssel?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP unterstützt auch keine Forward Secrecy. Das heißt, wenn entweder dein ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** ist ein E-Mail-Dienst mit dem Schwerpunkt auf Datenschutz, Verschlüsselung, Sicherheit und Benutzerfreundlichkeit. Sie sind seit 2013 in Betrieb. Die Proton AG hat ihren Sitz in Genf, Schweiz. Der Proton Mail Free Tarif beinhaltet 500 MB Mailspeicher, den du kostenlos auf bis zu 1 GB erweitern kannst. +**Proton Mail** ist ein E-Mail-Dienst mit dem Schwerpunkt auf Datenschutz, Verschlüsselung, Sicherheit und Benutzerfreundlichkeit. Sie sind seit 2013 in Betrieb. Die Proton AG hat ihren Sitz in Genf, Schweiz. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/de/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP unterstützt auch keine Forward Secrecy. Das heißt, wenn entweder dein -Kostenlose Konten haben einige Einschränkungen, wie z. B. die fehlende Möglichkeit Text zu durchsuchen und keinen Zugang zu [Proton Mail Bridge](https://proton.me/mail/bridge). Diese ist für die Verwendung eines [empfohlenen Desktop-E-Mail-Programms](email-clients.md) (z. B. Thunderbird) erforderlich. Bezahlte Konten umfassen Funktionen wie Proton Mail Bridge, zusätzlichen Speicher und die Nutzung eigener Domains. Am 9. November 2021 wurden durch [Securitum](https://research.securitum.com) ein Sicherheitsaudit durchgeführt und die Anwendungen von Proton Mail [zertifiziert](https://proton.me/blog/security-audit-all-proton-apps). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Bezahlte Konten umfassen Funktionen wie Proton Mail Bridge, zusätzlichen Speicher und die Nutzung eigener Domains. Wenn du den Proton-Unlimited-Tarif oder einen beliebigen Multi-User-Proton-Tarif hast, erhältst du auch [SimpleLogin](email-aliasing.md#simplelogin) Premium kostenlos. -Wenn du den Proton-Unlimited-Tarif oder einen beliebigen Multi-User-Proton-Tarif hast, erhältst du auch [SimpleLogin](email-aliasing.md#simplelogin) Premium kostenlos. +Am 9. November 2021 wurden durch [Securitum](https://research.securitum.com) ein Sicherheitsaudit durchgeführt und die Anwendungen von Proton Mail [zertifiziert](https://proton.me/blog/security-audit-all-proton-apps). Proton Mail hat interne Absturzberichte, die sie **nicht** mit Dritten teilen. Dies kann in der Web-App deaktiviert werden: :gear: → **Alle Einstellungen** → **Konto** → **Sicherheit und Datenschutz** → **Privatsphäre und Datenerfassung**. @@ -93,7 +97,7 @@ Nutzer eines kostenpflichtigen Proton Mail Tarifs können ihre eigene Domain ode #### :material-check:{ .pg-green } Diskrete Zahlungsmöglichkeiten -Proton Mail akzeptiert, neben den üblichen Zahlungen per Kredit-/Debitkarte, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)und PayPal, auch [Bargeld per Post](https://proton.me/support/payment-options). +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Kontosicherheit @@ -109,7 +113,7 @@ Bestimmte Informationen, die in [Proton Contacts](https://proton.me/support/prot Proton Mail hat [die OpenPGP-Verschlüsselung](https://proton.me/support/how-to-use-pgp) in sein Webmail integriert. E-Mails an andere Proton Mail-Konten werden automatisch verschlüsselt. Die Verschlüsselung an Nicht-Proton Mail-Adressen mit einem OpenPGP-Schlüssel kannst du ganz einfach in deinen Kontoeinstellungen aktivieren. Proton also supports automatic external key discovery with WKD. Das bedeutet, dass E-Mails an andere Anbieter, die WKD verwenden, automatisch auch mit OpenPGP verschlüsselt werden, ohne dass du manuell öffentliche PGP-Schlüssel mit deinen Kontakten austauschen musst. Außerdem ist es möglich, [Nachrichten an Nicht-Proton-Mail-Adressen ohne OpenPGP zu verschlüsseln](https://proton.me/support/password-protected-emails), ohne dass die Empfänger ein Proton-Mail-Konto benötigen. -Auch veröffentlicht Proton Mail öffentlichen Schlüssel der Proton-Konten über HTTP von ihrem WKD. Dies ermöglicht es Personen, die Proton Mail nicht verwenden, die OpenPGP-Schlüssel von Proton Mail-Konten für anbieterübergreifende E2EE leicht zu finden. Dies gilt nur für E-Mail-Adressen, die auf eine der Proton-eigenen Domains enden, wie @proton.me. Um eine eigene Domain zu verwenden, musst du [WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separat konfigurieren. +Auch veröffentlicht Proton Mail öffentlichen Schlüssel der Proton-Konten über HTTP von ihrem WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Kontokündigung @@ -117,17 +121,17 @@ Wenn du ein kostenpflichtiges Konto hast und deine Rechnung [nach 14 Tagen noch #### :material-information-outline:{ .pg-blue } Zusätzliche Funktionen -Der [Unlimited-Tarif](https://proton.me/de/support/proton-plans#proton-unlimited) von Proton Mail ermöglicht auch den Zugang zu anderen Proton-Diensten und bietet darüber hinaus mehrere benutzerdefinierte Domains, eine unbegrenzte Anzahl von "Hide-my-email"-Aliasnamen und 500 GB Speicherplatz. - -Proton Mail bietet keine Funktion für deinen digitalen Nachlass. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org-Logo](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** ist ein E-Mail-Dienst, mit dem Ziel sicher und werbefrei zu sein und der mit 100 % Ökostrom betrieben wird. Er wird seit 2014 betrieben. Mailbox.org hat seinen Sitz in Berlin, Deutschland. Konten beginnen mit 2 GB Speicherplatz, der nach Bedarf erweitert werden kann. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Er wird seit 2014 betrieben. Mailbox.org hat seinen Sitz in Berlin, Deutschland. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/de/datenschutz){ .card-link title="Datenschutzrichtlinie" } @@ -148,23 +152,23 @@ Bei Mailbox.org kannst du deine eigene Domain verwenden, und es werden [Catch-Al #### :material-check:{ .pg-green } Diskrete Zahlungsmöglichkeiten -Mailbox.org akzeptiert keine Kryptowährungen, da deren Zahlungsanbieter BitPay seinen Betrieb in Deutschland eingestellt hat. Sie akzeptieren jedoch Bargeld per Post, Bareinzahlung auf ein Bankkonto, Banküberweisung, Kreditkarte, PayPal und einige Deutschland spezifische Anbieter: paydirekt und Sofortüberweisung. +Mailbox.org akzeptiert keine Kryptowährungen, da deren Zahlungsanbieter BitPay seinen Betrieb in Deutschland eingestellt hat. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Kontosicherheit -Mailbox.org unterstützt [Zwei-Faktor-Authentisierung](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) nur für Webmail. Du kannst entweder TOTP oder einen [YubiKey](https://en.wikipedia.org/wiki/YubiKey) über die [YubiCloud](https://yubico.com/products/services-software/yubicloud) verwenden. Webstandards wie [WebAuthn](https://de.wikipedia.org/wiki/WebAuthn) werden noch nicht unterstützt. +Mailbox.org unterstützt [Zwei-Faktor-Authentisierung](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) nur für Webmail. Du kannst entweder TOTP oder einen [YubiKey](https://en.wikipedia.org/wiki/YubiKey) über die [YubiCloud](https://yubico.com/products/services-software/yubicloud) verwenden. Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Datensicherheit Mailbox.org ermöglicht die Verschlüsselung von eingehenden E-Mails mit der [verschlüsselten Mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Neue eingehende Nachrichten werden dann sofort mit deinem öffentlichen Schlüssel verschlüsselt. -[Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), die von Mailbox.org genutzte Software-Plattform, [unterstützt jedoch nicht](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) die Verschlüsselung deines Adressbuchs und Kalenders. Eine [eigenständige Lösung](calendar.md) könnte für diese Informationen besser geeignet sein. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } E-Mail-Verschlüsselung Mailbox.org hat die [Verschlüsselung in sein Webmail integriert](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard), was den Versand von Nachrichten an Personen mit öffentlichen OpenPGP-Schlüsseln vereinfacht. Sie erlauben es auch entfernten Empfängern [eine E-Mail](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) auf den Servern von Mailbox.org zu entschlüsseln. Diese Funktion ist nützlich, wenn der Empfänger OpenPGP nicht nutzt und daher eine Kopie der E-Mail in seinem eigenen Postfach nicht entschlüsseln kann. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Dies ermöglicht es Personen, die Mailbox.org nicht verwenden, die OpenPGP-Schlüssel von Mailbox.org-Konten für anbieterübergreifende E2EE leicht zu finden. Dies gilt nur für E-Mail-Adressen, die auf eine der Mailbox.org-eigenen Domains enden, wie @mailbox.org. Um eine eigene Domain zu verwenden, musst du [WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separat konfigurieren. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Kontokündigung @@ -176,7 +180,7 @@ Du kannst auf Ihr Mailbox.org-Konto über IMAP/SMTP zugreifen, indem du deren [. Alle Konten verfügen über einen begrenzten Cloud-Speicher, der [verschlüsselt werden kann](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org bietet auch den Alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely) an, der die TLS-Verschlüsselung der Verbindung zwischen den Mailservern erzwingt, ansonsten wird die Nachricht erst gar nicht gesendet. Mailbox.org unterstützt neben den Standardzugriffsprotokollen wie IMAP und POP3 auch [Exchange ActiveSync](https://de.wikipedia.org/wiki/Exchange_ActiveSync). -Mailbox.org bietet für alle Tarife eine digitale Hinterlassenschaft an. Du kannst wählen, ob deine Daten an die Erben weitergegeben werden sollen, sofern diese einen Antrag stellen und dein Testament vorlegen. Alternativ kannst du auch eine Person mit Namen und Adresse benennen. +Mailbox.org bietet für alle Tarife eine digitale Hinterlassenschaft an. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternativ kannst du auch eine Person mit Namen und Adresse benennen. ## Weitere Anbieter @@ -195,7 +199,9 @@ Diese Anbieter speichern deine E-Mails mit Zero-Knowledge-Verschlüsselung und s ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (ehemals *Tutanota*) ist ein E-Mail-Dienst mit einem Fokus auf Sicherheit und Privatsphäre durch Verschlüsselung. Tuta ist seit 2011 in Betrieb und hat seinen Sitz in Hannover, Deutschland. Kostenlose Konten beginnen mit 1 GB Speicherplatz. +**Tuta** (ehemals *Tutanota*) ist ein E-Mail-Dienst mit einem Fokus auf Sicherheit und Privatsphäre durch Verschlüsselung. Tuta ist seit 2011 in Betrieb und hat seinen Sitz in Hannover, Deutschland. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/de/privacy-policy){ .card-link title="Datenschutzerklärung" } @@ -226,7 +232,7 @@ Bezahlte Tuta-Konten können je nach Tarif entweder 15 oder 30 Aliase und unbegr #### :material-information-outline:{ .pg-blue } Private Zahlungsmöglichkeiten -Tuta akzeptiert nur Kreditkarten und PayPal, aber [Kryptowährung](cryptocurrency.md) kann verwendet werden, um Guthabenkarten über ihre [Partnerschaft](https://tuta.com/support/#cryptocurrency) mit Proxystore zu kaufen. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Kontosicherheit @@ -234,7 +240,7 @@ Tuta unterstützt die [Zwei-Faktor-Authentisierung](https://tuta.com/support#2fa #### :material-check:{ .pg-green } Datensicherheit -Tuta bietet eine [Zero-Access-Verschlüsselung im Ruhezustand](https://tuta.com/support#what-encrypted) für Ihre E-Mails, [Adressbuchkontakte](https://tuta.com/support#encrypted-address-book) und [Kalender](https://tuta.com/support#calendar). Das bedeutet, dass die in deinem Konto gespeicherten Nachrichten und andere Daten nur von dir gelesen werden können. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Das bedeutet, dass die in deinem Konto gespeicherten Nachrichten und andere Daten nur von dir gelesen werden können. #### :material-information-outline:{ .pg-blue } E-Mail-Verschlüsselung @@ -248,8 +254,6 @@ Tuta [löscht inaktive kostenlose Konten](https://tuta.com/support#inactive-acco Tuta bietet die Business-Version von [Tuta für gemeinnützige Organisationen](https://tuta.com/blog/secure-email-for-non-profit) kostenlos oder mit einem starken Rabatt. -Tuta bietet keine Funktion für deinen digitalen Nachlass. - ## E-Mail Selbst Hosten Fortgeschrittene Systemadministratoren können die Einrichtung eines eigenen E-Mail-Servers in Erwägung ziehen. Mailserver erfordern Aufmerksamkeit und ständige Wartung, um die Sicherheit und die Zuverlässigkeit der Mailzustellung zu gewährleisten. Zusätzlich zu den unten aufgeführten "All-in-One"-Lösungen haben wir einige Artikel herausgesucht, die einen eher manuellen Ansatz behandeln: @@ -315,52 +319,53 @@ Wir halten diese Merkmale für wichtig, um einen sicheren und optimalen Service **Mindestvoraussetzung um sich zu qualifizieren:** -- Verschlüsselt die Daten von E-Mail-Konten im Ruhezustand mit Zero-Access-Verschlüsselung. -- Exportmöglichkeit als [Mbox](https://de.wikipedia.org/wiki/Mbox) oder individuelle .EML mit [RFC5322](https://datatracker.ietf.org/doc/rfc5322)-Standard. -- Arbeitet auf einer eigenen Infrastruktur, d.h. nicht auf der eines Drittanbieters von E-Mail-Diensten. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Benutzerdefinierte Domänennamen sind für die Nutzer wichtig, da du so deine Identität von dem Dienst fernhalten kannst, falls dieser sich als schlecht erweist oder von einem anderen Unternehmen übernommen wird, bei dem der Datenschutz keine Rolle spielt. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Im besten Fall:** -- Verschlüsselt alle Kontodaten (Kontakte, Kalender usw.) im Ruhezustand mit Zero-Access-Verschlüsselung. -- Integrierte Webmail E2EE/PGP-Verschlüsselung als Komfortfunktion. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG-Benutzer können einen Schlüssel erhalten, indem sie Folgendes eingeben: `gpg --locate-key beispiel_nutzer@example.com` -- Unterstützung für eine temporäre Mailbox für externe Benutzer. Dies ist nützlich, wenn du eine verschlüsselte E-Mail versenden möchtest, ohne eine Kopie an den Empfänger zu senden. Diese E-Mails haben in der Regel eine begrenzte Lebensdauer und werden dann automatisch gelöscht. Sie erfordern auch nicht, dass der Empfänger eine Kryptographie wie OpenPGP konfiguriert. -- Verfügbarkeit der Dienste des E-Mail-Anbieters über einen [onion service](https://de.wikipedia.org/wiki/.onion). -- Unterstützung [von Unteradressen](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Benutzerdefinierte Domänennamen sind für die Nutzer wichtig, da du so deine Identität von dem Dienst fernhalten kannst, falls dieser sich als schlecht erweist oder von einem anderen Unternehmen übernommen wird, bei dem der Datenschutz keine Rolle spielt. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Unterstützung für eine temporäre Mailbox für externe Benutzer. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Diese E-Mails haben in der Regel eine begrenzte Lebensdauer und werden dann automatisch gelöscht. Sie erfordern auch nicht, dass der Empfänger eine Kryptographie wie OpenPGP konfiguriert. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Benutzerdefinierte Domänennamen sind für die Nutzer wichtig, da du so deine Identität von dem Dienst fernhalten kannst, falls dieser sich als schlecht erweist oder von einem anderen Unternehmen übernommen wird, bei dem der Datenschutz keine Rolle spielt. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Datenschutz -Wir ziehen es vor, dass die von uns empfohlenen Anbieter so wenig Daten wie möglich sammeln. +Wir ziehen es vor, dass die von uns empfohlenen Anbieter*innen so wenig Daten wie möglich sammeln. **Mindestvoraussetzung um zu qualifizieren:** -- Schutz der IP-Adresse des Absenders, was bedeuten kann, dass sie im Feld `Received`-Header nicht angezeigt wird. -- Benötigt keine personenbezogenen Daten (PII) außer eines Benutzernamens und eines Passwortes. -- Datenschutzrichtlinien, die den Anforderungen der DSGVO entsprechen. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Im besten Fall:** -- Akzeptiert [anonyme Zahlungsmöglichkeiten](advanced/payments.md) ([Kryptowährungen](cryptocurrency.md), Bargeld, Geschenkkarten, etc.) -- Gehostet in einem Land mit strengen Gesetzen zum Schutz des E-Mail-Verkehrs. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Sicherheit -Auf E-Mail-Servern werden viele sehr sensible Daten verarbeitet. Wir erwarten, dass die Anbieter die besten Praktiken der Branche übernehmen, um ihre Kunden zu schützen. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. -**Mindestvoraussetzung um sich zu qualifizieren:** +**Mindestvoraussetzung um zu qualifizieren:** -- Schutz von Webmail mit 2FA, wie TOTP. -- Zero-Access-Verschlüsselung, die auf Verschlüsselung auf dem Gerät aufbaut. Der Anbieter verfügt nicht über die Entschlüsselungsschlüssel zu den Daten, die er besitzt. So wird verhindert, dass ein abtrünniger Mitarbeitender Daten preisgibt, auf die er/sie Zugriff hat, oder dass ein Angreifender Daten freigibt, die er/sie gestohlen hat, indem er/sie sich unbefugt Zugang zum Server verschafft. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. Der Anbieter verfügt nicht über die Entschlüsselungsschlüssel zu den Daten, die er besitzt. So wird verhindert, dass ein abtrünniger Mitarbeitender Daten preisgibt, auf die er/sie Zugriff hat, oder dass ein Angreifender Daten freigibt, die er/sie gestohlen hat, indem er/sie sich unbefugt Zugang zum Server verschafft. - [DNSSEC](https://de.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) Unterstützung. - Keine TLS-Fehler oder -Schwachstellen beim Profiling durch Tools wie [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh)oder [Qualys SSL Labs](https://ssllabs.com/ssltest); dies schließt zertifikatsbezogene Fehler und schwache DH-Parameter ein, wie z. B. die, die zu [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)) führten. -- Eine Server-Suite-Präferenz (optional bei TLSv1.3) für starke Cipher-Suites, die Forward Secrecy und authentifizierte Verschlüsselung unterstützen. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Eine gültige [MTA-STS](https://tools.ietf.org/html/rfc8461) und [TLS-RPT](https://tools.ietf.org/html/rfc8460) Richtlinie. - Gültige [DANE](https://de.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) Datensätze. - Gültige [SPF](https://de.wikipedia.org/wiki/Sender_Policy_Framework) und [DKIM](https://de.wikipedia.org/wiki/DomainKeys_Identified_Mail) Einträge. -- Besitzen eines ordnungsgemäßen [DMARC](https://de.wikipedia.org/wiki/DMARC) Datensatzes und einer Richtlinie oder verwenden von [ARC](https://de.wikipedia.org/wiki/Authenticated_Received_Chain) für die Authentifizierung. Wenn die DMARC-Authentifizierung verwendet wird, muss die Richtlinie auf `reject` oder `quarantine` eingestellt sein. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Wenn die DMARC-Authentifizierung verwendet wird, muss die Richtlinie auf `reject` oder `quarantine` eingestellt sein. - Eine Server-Suite-Einstellung mit TLS 1.2 oder höher und ein Plan für [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://de.wikipedia.org/wiki/SMTPS) Übermittlung, vorausgesetzt, SMTP wird verwendet. - Website-Sicherheitsstandards wie z. B.: @@ -368,12 +373,12 @@ Auf E-Mail-Servern werden viele sehr sensible Daten verarbeitet. Wir erwarten, d - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) wenn Dinge von externen Domains geladen werden. - Muss die Anzeige von [Message Headers](https://de.wikipedia.org/wiki/Header_(E-Mail)) unterstützen, da dies eine wichtige forensische Funktion ist, um festzustellen, ob eine E-Mail ein Phishing-Versuch ist. -**Im Besten Fall:** +**Im besten Fall:** -- Unterstützung für Hardware-Authentisierung, z. B. U2F und [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F und [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) zusätzlich zur DANE-Unterstützung. -- Implementierung von [Authenticated Received Chain (ARC)](https://de.wikipedia.org/wiki/Authenticated_Received_Chain), was für Personen nützlich ist, die auf Mailing-Listen posten ([RFC8617](https://tools.ietf.org/html/rfc8617)). -- Veröffentlichte Sicherheitsaudits durch ein angesehenes Drittunternehmen. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-Bounty-Programme und/oder ein koordiniertes Verfahren zur Offenlegung von Sicherheitslücken. - Website-Sicherheitsstandards wie z. B.: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,36 +386,33 @@ Auf E-Mail-Servern werden viele sehr sensible Daten verarbeitet. Wir erwarten, d ### Vertrauen -Du würdest jemandem mit einer gefälschten Identität nicht deine Finanzen anvertrauen, warum solltest du ihm also deine E-Mails anvertrauen? Wir verlangen von den von uns empfohlenen Anbietern, dass sie ihre Eigentumsverhältnisse oder ihre Führungsrolle öffentlich machen. Außerdem wünschen wir uns häufige Transparenzberichte, insbesondere über die Bearbeitung von Regierungsanfragen. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Wir setzen für die von uns empfohlenen Anbietern voraus, dass sie ihre Eigentumsverhältnisse oder ihre Führungsrolle öffentlich gemacht haben. Außerdem wünschen wir uns häufige Transparenzberichte, insbesondere über die Bearbeitung von Regierungsanfragen. **Mindestvoraussetzung um zu qualifizieren:** - Öffentliche Führung oder Eigentum. -**Im Besten Fall:** +**Im besten Fall:** - Häufige Transparenzberichte. ### Marketing -Bei den von uns empfohlenen E-Mail-Anbietern legen wir Wert auf ein verantwortungsvolles Marketing. +With the email providers we recommend, we like to see responsible marketing. -**Mindestvoraussetzung um sich zu qualifizieren:** +**Mindestvoraussetzung um zu qualifizieren:** -- Muss seine Analyse-Tools selbst hosten (kein Google Analytics, Adobe Analytics etc.). - -Es darf kein unverantwortliches Marketing betrieben werden, wozu Folgendes gehören kann: - -- Behauptung einer "unknackbaren Verschlüsselung". Die Verschlüsselung sollte in der Voraussicht eingesetzt werden, dass sie in Zukunft möglicherweise nicht mehr geheim ist, wenn die Technologie vorhanden ist, um sie zu knacken. -- Gewährleistung eines 100%igen Schutzes der Anonymität. Wenn jemand behauptet, etwas sei zu 100% sicher, bedeutet das, dass es keine Sicherheit für ein Scheitern gibt. Wir wissen, dass Menschen sich auf verschiedene Weise recht einfach deanonymisieren können, z. B.: - - - Wiederverwendung persönlicher Informationen (z. B. E-Mail-Konten, eindeutige Pseudonyme usw.), auf die sie ohne Anonymisierungssoftware (Tor, VPN usw.) zugegriffen haben - - [Browser-Fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser-Fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Im besten Fall:** -- Klare und leicht zu lesende Dokumentation für Aufgaben wie die Einrichtung von 2FA, E-Mail-Clients, OpenPGP usw. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Zusätzliche Funktionalitäten -Obwohl es sich nicht um strenge Anforderungen handelt, haben wir bei der Auswahl der zu empfehlenden Anbieter auch andere Faktoren wie Komfort oder Datenschutz berücksichtigt. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/de/os/android-overview.md b/i18n/de/os/android-overview.md index 6bea3fdc..7c5a8117 100644 --- a/i18n/de/os/android-overview.md +++ b/i18n/de/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/el/basics/account-creation.md b/i18n/el/basics/account-creation.md index 5dcc8a21..6df07a05 100644 --- a/i18n/el/basics/account-creation.md +++ b/i18n/el/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/el/basics/email-security.md b/i18n/el/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/el/basics/email-security.md +++ b/i18n/el/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/el/email-aliasing.md b/i18n/el/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/el/email-aliasing.md +++ b/i18n/el/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/el/email-clients.md b/i18n/el/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/el/email-clients.md +++ b/i18n/el/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/el/email.md b/i18n/el/email.md index 732dee4a..249d9c05 100644 --- a/i18n/el/email.md +++ b/i18n/el/email.md @@ -22,19 +22,19 @@ global: Για όλα τα υπόλοιπα, συνιστούμε μια ποικιλία παρόχων ηλεκτρονικού ταχυδρομείου που βασίζονται σε βιώσιμα επιχειρηματικά μοντέλα και ενσωματωμένα χαρακτηριστικά ασφάλειας και απορρήτου. Διαβάστε τον [πλήρη κατάλογο των κριτηρίων](#criteria) μας για περισσότερες πληροφορίες. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/el/os/android-overview.md b/i18n/el/os/android-overview.md index de43e60c..fdc8552c 100644 --- a/i18n/el/os/android-overview.md +++ b/i18n/el/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/eo/basics/account-creation.md b/i18n/eo/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/eo/basics/account-creation.md +++ b/i18n/eo/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/eo/basics/email-security.md b/i18n/eo/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/eo/basics/email-security.md +++ b/i18n/eo/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/eo/email-aliasing.md b/i18n/eo/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/eo/email-aliasing.md +++ b/i18n/eo/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/eo/email-clients.md b/i18n/eo/email-clients.md index 72e1af4b..f4098df0 100644 --- a/i18n/eo/email-clients.md +++ b/i18n/eo/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Provizantoj de Servoj](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/eo/email.md b/i18n/eo/email.md index 079f34dc..8700ecbc 100644 --- a/i18n/eo/email.md +++ b/i18n/eo/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/eo/os/android-overview.md b/i18n/eo/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/eo/os/android-overview.md +++ b/i18n/eo/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/es/basics/account-creation.md b/i18n/es/basics/account-creation.md index 7ed6ccf9..bbfab4b4 100644 --- a/i18n/es/basics/account-creation.md +++ b/i18n/es/basics/account-creation.md @@ -42,7 +42,7 @@ Usted es responsable de gestionar sus credenciales de ingreso. Para mayor seguri #### Alias de correo electrónico -Si no se quiere utilizar una dirección real de correo electrónico en un servicio, se cuenta con la opción de utilizar un alias. Estos los describimos con mayores detalles en nuestra página con recomendaciones de servicios de correo electrónico. Básicamente, los servicios de alias permiten generar nuevas direcciones de correo que reenvían todos los correos a la dirección principal. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Estos pueden ser filtrados automáticamente basándose en el alias al que son enviados. +Si no se quiere utilizar una dirección real de correo electrónico en un servicio, se cuenta con la opción de utilizar un alias. We describe them in more detail on our email services recommendation page. Básicamente, los servicios de alias permiten generar nuevas direcciones de correo que reenvían todos los correos a la dirección principal. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Estos pueden ser filtrados automáticamente basándose en el alias al que son enviados. Si un servicio es hackeado, puede que usted comience a recibir correos engañosos o basura en la dirección que utilizó para registrarse. Al utilizar un único alias para cada servicio, se puede identificar cual servicio fue hackeado. @@ -50,19 +50,19 @@ Si un servicio es hackeado, puede que usted comience a recibir correos engañoso ### "Iniciar sesión con..." (OAuth) -OAuth es un protocolo de autenticación que te permite registrarte en un servicio sin compartir mucha información con el proveedor del servicio, o incluso nada de información, utilizando en su lugar una cuenta existente que tengas con otro servicio. Cuando veas algo parecido a "Iniciar sesión con *nombre del proveedor*" en un formulario de registro, normalmente está utilizando OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Cuando veas algo parecido a "Iniciar sesión con *nombre del proveedor*" en un formulario de registro, normalmente está utilizando OAuth. Cuando inicies sesión con OAuth, se abrirá una página de inicio de sesión con el proveedor que elijas, y tu cuenta existente y la nueva estarán conectadas. Tu contraseña no se compartirá, pero sí algunos datos básicos (puedes revisarlos durante la solicitud de acceso). Este proceso es necesario cada vez que quieres iniciar sesión en la misma cuenta. Las principales ventajas son: -- **Seguridad**: no tienes que confiar en las prácticas de seguridad del servicio al que te conectas cuando se trata de almacenar tus credenciales de inicio de sesión, porque se almacenan con el proveedor externo de OAuth, que cuando se trata de servicios como Apple y Google suelen seguir las mejores prácticas de seguridad, auditan continuamente sus sistemas de autenticación y no almacenan credenciales de forma inapropiada (como en texto plano). -- **Facilidad de uso**: varias cuentas se gestionan con un solo inicio de sesión. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Pero hay desventajas: -- **Privacidad**: el proveedor de OAuth con el que te conectes sabrá los servicios que utilizas. -- **Centralización**: si la cuenta que utilizas para OAuth se ve comprometida, o no eres capaz de iniciar sesión en ella, todas las demás cuentas conectadas a ella se verán afectadas. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth puede ser especialmente útil en aquellas situaciones en las que podrías beneficiarte de una integración más profunda entre servicios. Nuestra recomendación es limitar el uso de OAuth solamente donde lo necesites, y proteger siempre la cuenta principal con [MFA](multi-factor-authentication.md). diff --git a/i18n/es/basics/email-security.md b/i18n/es/basics/email-security.md index 39d68cb9..d11500ba 100644 --- a/i18n/es/basics/email-security.md +++ b/i18n/es/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -El correo electrónico es una forma de comunicación insegura por defecto. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +El correo electrónico es una forma de comunicación insegura por defecto. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. En consecuencia, el correo electrónico se utiliza mejor para recibir correos electrónicos transaccionales (como notificaciones, correos de verificación, restablecimiento de contraseñas, etc.) de los servicios en los que te registras en línea, no para comunicarte con otras personas. ## Descripción de la encriptación del correo electrónico -La forma estándar de añadir E2EE a los correos electrónicos entre diferentes proveedores de correo electrónico es utilizando OpenPGP. Existen diferentes implementaciones del estándar OpenPGP, siendo las más comunes [GnuPG](https://es.wikipedia.org/wiki/GNU_Privacy_Guard) y [OpenPGP.js](https://openpgpjs.org). +La forma estándar de añadir E2EE a los correos electrónicos entre diferentes proveedores de correo electrónico es utilizando OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Incluso si utilizas OpenPGP, no admite el [secreto perfecto hacia adelante](https://es.wikipedia.org/wiki/Perfect_forward_secrecy), lo que significa que si alguna vez se roba tu clave privada o la del destinatario, todos los mensajes anteriores cifrados con ella se expondrán. Es por eso que recomendamos [servicios de mensajería instantáneos](../real-time-communication.md) que implementan el secreto perfecto hacia adelante por sobre el correo electrónico para las comunicaciones de persona a persona siempre que sea posible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Es por eso que recomendamos [servicios de mensajería instantáneos](../real-time-communication.md) que implementan el secreto perfecto hacia adelante por sobre el correo electrónico para las comunicaciones de persona a persona siempre que sea posible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## ¿Qué es el estándar del Directorio de Claves Web? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email Además de los [clientes de correo electrónico que recomendamos](../email-clients.md) y son compatibles con WKD, algunos clientes web de correo electrónico también son compatibles con WKD. Si *tu propia* clave es publicada en WKD para que otros la utilicen, esto dependerá de tu configuración de dominio. Si utilizas un [proveedor de correo electrónico](../email.md#openpgp-compatible-services) compatible con WKD, como Proton Mail o Mailbox.org, ellos pueden publicar tu clave OpenPGP en su dominio por usted. -Su utilizas tu propio dominio personalizado, necesitarás configurar WKD por separado. Si tienes control sobre tu nombre de dominio, puedes configurar WKD sin importar el proveedor de correo electrónico que utilices. Una manera fácil de hacer esto es utilizar la característica de "[WKD como servicio](https://keys.openpgp.org/about/usage#wkd-as-a-service)", desde keys.openpgp.org, al configurar un registro CNAME en el subdominio de `openpgpkey` de tu dominio, apuntando a `wkd.keys.openpgp.org`, y después publicando tu clave en [keys.openpgp.org](https://keys.openpgp.org). De manera alternativa, puedes [hospedar WKD en tu propio servidor web](https://wiki.gnupg.org/WKDHosting). +Su utilizas tu propio dominio personalizado, necesitarás configurar WKD por separado. Si tienes control sobre tu nombre de dominio, puedes configurar WKD sin importar el proveedor de correo electrónico que utilices. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). De manera alternativa, puedes [hospedar WKD en tu propio servidor web](https://wiki.gnupg.org/WKDHosting). -Si utilizar un dominio compartido desde un proveedor no compatible con WKD, como @gmail.com, no podrás compartir tu clave OpenPGP con otros a través de este método. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### ¿Qué clientes de correo electrónico admiten E2EE? -Los proveedores de correo electrónico que permiten utilizar protocolos de acceso estándar como IMAP y SMTP pueden utilizarse con cualquiera de los clientes de correo electrónico [que recomendamos](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Los proveedores de correo electrónico que permiten utilizar protocolos de acceso estándar como IMAP y SMTP pueden utilizarse con cualquiera de los clientes de correo electrónico [que recomendamos](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### ¿Cómo puedo proteger mis claves privadas? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Descripción general de los metadatos de correo electrónico -Los metadatos del correo electrónico se almacenan en la [cabecera del mensaje](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) del correo electrónico e incluye algunas cabeceras visibles que puedes haber visto como: `Para`, `De`, `Cc`, `Fecha`, `Asunto`. También hay una serie de encabezados ocultos incluidos por muchos clientes y proveedores de correo electrónico que pueden revelar información sobre tu cuenta. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. También hay una serie de encabezados ocultos incluidos por muchos clientes y proveedores de correo electrónico que pueden revelar información sobre tu cuenta. El software del cliente puede usar metadatos de correo electrónico para mostrar de quién es un mensaje y a qué hora se recibió. Los servidores pueden utilizarlo para determinar dónde debe enviarse un mensaje de correo electrónico, [entre otros fines](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) que no siempre son transparentes. ### ¿Quién puede ver los metadatos del correo electrónico? -Los metadatos del correo electrónico están protegidos de observadores externos con [STARTTLS](https://es.wikipedia.org/wiki/STARTTLS) protegiéndolos de observadores externos, pero aún pueden ser vistos por tu software de cliente de correo electrónico (o webmail) y cualquier servidor que retransmita el mensaje de ti a cualquier destinatario, incluyendo tu proveedor de correo electrónico. A veces, los servidores de correo electrónico también utilizan servicios de terceros para protegerse del spam, que generalmente también tienen acceso a tus mensajes. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. A veces, los servidores de correo electrónico también utilizan servicios de terceros para protegerse del spam, que generalmente también tienen acceso a tus mensajes. ### ¿Por qué los metadatos no pueden ser E2EE? -Los metadatos del correo electrónico son cruciales para la funcionalidad más básica del correo electrónico (de dónde viene y a dónde tiene que ir). E2EE no estaba integrado originalmente en los protocolos de correo electrónico, sino que requería un software adicional como OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Los metadatos del correo electrónico son cruciales para la funcionalidad más básica del correo electrónico (de dónde viene y a dónde tiene que ir). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/es/email-aliasing.md b/i18n/es/email-aliasing.md index 6cfd30bd..ea03e859 100644 --- a/i18n/es/email-aliasing.md +++ b/i18n/es/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Capitalismo de Vigilancia](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Exposición Pública](basics/common-threats.md#limiting-public-information){ .pg-green } -Un **servicio de alias de correo electrónico** te permite generar fácilmente una nueva dirección de correo electrónico para cada sitio web en el que te registres. Los alias de correo electrónico que generas son reenviados a una dirección de correo electrónico de tu elección, ocultando tanto tu dirección "principal" de correo electrónico como la identidad de tu [proveedor de correo electrónico](email.md). El verdadero alias de correo electrónico es mejor que el direccionamiento plus, comúnmente utilizado y admitido por muchos proveedores, que permite crear alias como `su nombre+[cualquiercosaaquí]@ejemplo.com`, porque los sitios web, los anunciantes y las redes de seguimiento pueden eliminar trivialmente cualquier cosa después del signo `+`. Organizaciones como la [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) solicitan que los anunciantes [normalicen las direcciones de correo electrónico](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) para poder correlacionarlas y rastrearlas, sin importar las preferencias de privacidad de los usuarios. +Un **servicio de alias de correo electrónico** te permite generar fácilmente una nueva dirección de correo electrónico para cada sitio web en el que te registres. Los alias de correo electrónico que generas son reenviados a una dirección de correo electrónico de tu elección, ocultando tanto tu dirección "principal" de correo electrónico como la identidad de tu [proveedor de correo electrónico](email.md). + +Los alias de correo electrónico también pueden servir de respaldo en caso de que tu proveedor de correo electrónico cese sus operaciones. En dicho escenario, fácilmente puedes redirigir tus alias a una nueva dirección de correo electrónico. A su vez, sin embargo, estás confiando en que tu servicio de alias continúe funcionando. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +El verdadero alias de correo electrónico es mejor que el direccionamiento plus, comúnmente utilizado y admitido por muchos proveedores, que permite crear alias como `su nombre+[cualquiercosaaquí]@ejemplo.com`, porque los sitios web, los anunciantes y las redes de seguimiento pueden eliminar trivialmente cualquier cosa después del signo `+`. Organizaciones como la [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) solicitan que los anunciantes [normalicen las direcciones de correo electrónico](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) para poder correlacionarlas y rastrearlas, sin importar las preferencias de privacidad de los usuarios. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Los alias se pueden activar y desactivar individualmente cuando lo necesites, evitando que los sitios web te envíen correos electrónicos al azar. +- Las respuestas son enviadas desde la dirección del alias, ocultando tu dirección real de correo electrónico. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Los alias son permanentes y pueden ser activados nuevamente si necesitas recibir algo como un reseteo de la contraseña. +- Los correos electrónicos son enviados a tu buzón de confianza, en vez de ser almacenados por el proveedor de los alias. +- Los servicios de correo electrónico temporal suelen tener buzones públicos a los que puede acceder cualquiera que conozca la dirección, mientras que los alias son privados para ti. + +## Proveedores Recomendados
@@ -19,20 +46,7 @@ Un **servicio de alias de correo electrónico** te permite generar fácilmente u
-Los alias de correo electrónico también pueden servir de respaldo en caso de que tu proveedor de correo electrónico cese sus operaciones. En dicho escenario, fácilmente puedes redirigir tus alias a una nueva dirección de correo electrónico. A su vez, sin embargo, estás confiando en que tu servicio de alias continúe funcionando. - -El uso de un servicio dedicado de alias de correo electrónico también tiene una cantidad de beneficios sobre un alias general en un dominio personalizado: - -- Los alias se pueden activar y desactivar individualmente cuando lo necesites, evitando que los sitios web te envíen correos electrónicos al azar. -- Las respuestas son enviadas desde la dirección del alias, ocultando tu dirección real de correo electrónico. - -También tienen una cantidad de beneficios sobre los servicios "temporales de correo electrónico": - -- Los alias son permanentes y pueden ser activados nuevamente si necesitas recibir algo como un reseteo de la contraseña. -- Los correos electrónicos son enviados a tu buzón de confianza, en vez de ser almacenados por el proveedor de los alias. -- Los servicios de correo electrónico temporal suelen tener buzones públicos a los que puede acceder cualquiera que conozca la dirección, mientras que los alias son privados para ti. - -Nuestras recomendaciones de alias de correo electrónico son proveedores que te permiten crear alias en dominios que ellos controlan, así como en tu(s) propio(s) dominio(s) personalizado(s) por una módica cuota anual. Estos pueden ser autoalojados si deseas tener el máximo control. Sin embargo, usar un dominio personalizado puede tener inconvenientes relacionados con la privacidad: Si eres la única persona usando tu dominio personalizado, tus acciones pueden ser rastreadas con facilidad a través de los sitios web, simplemente con el nombre del dominio en la dirección de correo electrónico e ignorando todo lo que se encuentre antes del signo de (@). +Nuestras recomendaciones de alias de correo electrónico son proveedores que te permiten crear alias en dominios que ellos controlan, así como en tu(s) propio(s) dominio(s) personalizado(s) por una módica cuota anual. Estos pueden ser autoalojados si deseas tener el máximo control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Usar un servicio de alias requiere confiar tus mensajes sin encriptar a tu proveedor de correo electrónico y tu proveedor de alias. Algunos proveedores mitigan esto ligeramente con el cifrado automático PGP[^1], que reduce el número de partes en las que tienes que confiar de dos a una al cifrar los correos entrantes antes de que lleguen a tu proveedor de buzón final. @@ -42,29 +56,31 @@ Usar un servicio de alias requiere confiar tus mensajes sin encriptar a tu prove ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). -[:octicons-home-16: Página Principal](https://addy.io){ .md-button .md-button--primary } -[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Politica de Privacidad" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentación} -[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Código Fuente" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribuir } +[:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads "Descargas" -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -Puedes crear un número ilimitado de alias estándar que terminen en un dominio como @[nombredeusuario].addy.io o un dominio personalizado en los planes de pago. Sin embargo, como ya se ha mencionado, esto puede ir en detrimento de la privacidad porque la gente puede relacionar trivialmente tus alias estándar basándose únicamente en el nombre de dominio. Estos son útiles cuando un dominio compartido puede estar bloqueado por un servicio. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. Sin embargo, como ya se ha mencionado, esto puede ir en detrimento de la privacidad porque la gente puede relacionar trivialmente tus alias estándar basándose únicamente en el nombre de dominio. Estos son útiles cuando un dominio compartido puede estar bloqueado por un servicio. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Funciones gratuitas destacables: @@ -84,10 +100,10 @@ Si cancelas tu suscripción, disfrutarás de las características de tu plan de **SimpleLogin** es un servicio gratuito que proporciona alias de correo electrónico en una variedad de nombres de dominio compartidos y, opcionalmente, ofrece funciones de pago como alias ilimitados y dominios personalizados. -[:octicons-home-16: Página Principal](https://simplelogin.io){ .md-button .md-button--primary } -[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Politica de Privacidad" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentación} -[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Código Fuente" } +[:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
Downloads "Descargas" @@ -97,18 +113,18 @@ Si cancelas tu suscripción, disfrutarás de las características de tu plan de - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin fue [adquirido por Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) el 8 de abril de 2022. Si utilizas Proton Mail para tu buzón principal, SimpleLogin es una gran elección. Como ambos productos pertenecen ahora a la misma empresa, ahora sólo tienes que confiar en una única entidad. También esperamos que SimpleLogin se integre más estrechamente con las ofertas de Proton en el futuro. SimpleLogin sigue siendo compatible con el reenvío a cualquier proveedor de correo electrónico de tu elección. Securitum [auditó](https://simplelogin.io/blog/security-audit) SimpleLogin a principios de 2022 y todos los problemas [se solucionaron](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin fue [adquirido por Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) el 8 de abril de 2022. Si utilizas Proton Mail para tu buzón principal, SimpleLogin es una gran elección. Como ambos productos pertenecen ahora a la misma empresa, ahora sólo tienes que confiar en una única entidad. También esperamos que SimpleLogin se integre más estrechamente con las ofertas de Proton en el futuro. SimpleLogin sigue siendo compatible con el reenvío a cualquier proveedor de correo electrónico de tu elección. -Puedes vincular tu cuenta SimpleLogin en la configuración con tu cuenta Proton. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +Puedes vincular tu cuenta SimpleLogin en la configuración con tu cuenta Proton. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [auditó](https://simplelogin.io/blog/security-audit) SimpleLogin a principios de 2022 y todos los problemas [se solucionaron](https://simplelogin.io/audit2022/web.pdf). Funciones gratuitas destacables: @@ -121,6 +137,6 @@ Cuando finalice tu suscripción, todos los alias que hayas creado podrán seguir ## Criterios -**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proveedores que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), evaluamos los proveedores de correo electrónico con el mismo estándar que nuestros [criterios de proveedor de correo electrónico](email.md#criteria) donde corresponda. Sugerimos que te familiarices con esta lista antes de decidir utilizar un servicio de correo electrónico y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proveedores que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), evaluamos los proveedores de correo electrónico con el mismo estándar que nuestros [criterios de proveedor de correo electrónico](email.md#criteria) donde corresponda. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: El cifrado PGP automático te permite cifrar correos electrónicos entrantes no cifrados antes de que sean enviados a tu buzón de correo, asegurándote de que tu proveedor principal de buzón nunca vea contenido de correo electrónico no cifrado. diff --git a/i18n/es/email-clients.md b/i18n/es/email-clients.md index 5fbe42d8..10149956 100644 --- a/i18n/es/email-clients.md +++ b/i18n/es/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Proveedores de servicios](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Ataques dirigidos](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -Los **clientes de correo** que recomendamos soportan tanto [OpenPGP](encryption.md#openpgp) como autenticación fuerte tal como [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth te permite utilizar [la autenticación multifactor](basics/multi-factor-authentication.md) para evitar el robo de cuentas. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth te permite utilizar [la autenticación multifactor](basics/multi-factor-authentication.md) para evitar el robo de cuentas.
El correo electrónico no proporciona secreto hacia adelante diff --git a/i18n/es/email.md b/i18n/es/email.md index efcce6a0..7ec8c461 100644 --- a/i18n/es/email.md +++ b/i18n/es/email.md @@ -22,19 +22,19 @@ El correo electrónico es prácticamente una necesidad para utilizar cualquier s Para todo lo demás, recomendamos una variedad de proveedores de correo electrónico basados en modelos sostenibles, además de características de seguridad y privacidad integradas. Lee nuestra \[lista completa de criterios\](#criterios) para más información. -| Proveedor | OpenPGP / WKD | IMAP / SMTP | Cifrado de acceso cero | Pagos anónimos | -| --------------------------- | -------------------------------------- | ----------------------------------------------------------------- | --------------------------------------------------------- | -------------------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Sólo en planes de pago | :material-check:{ .pg-green } | Efectivo | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Sólo el correo | Efectivo | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero y efectivo a través de terceros | +| Proveedor | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ----------------------------------------------------------------- | --------------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Sólo en planes de pago | :material-check:{ .pg-green } | Efectivo | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Sólo el correo | Efectivo | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -Además de (o en lugar de) un proveedor de correo electrónico recomendado aquí, es posible que desees considerar un [servicio de alias de correo electrónico](email-aliasing.md) dedicado para proteger tu privacidad. Entre otras cosas, estos servicios pueden ayudarte a proteger tu bandeja de entrada real del spam, evitar que los profesionales del marketing correlacionen tus cuentas y cifrar todos los mensajes entrantes con PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Entre otras cosas, estos servicios pueden ayudarte a proteger tu bandeja de entrada real del spam, evitar que los profesionales del marketing correlacionen tus cuentas y cifrar todos los mensajes entrantes con PGP. - [Más información :material-arrow-right-drop-circle:](email-aliasing.md) ## Servicios Compatibles con OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Por ejemplo, un usuario de Proton Mail podría enviar un mensaje E2EE a un usuario de Mailbox.org, o podrías recibir notificaciones encriptadas con OpenPGP desde servicios de Internet que lo soporten. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Por ejemplo, un usuario de Proton Mail podría enviar un mensaje E2EE a un usuario de Mailbox.org, o podrías recibir notificaciones encriptadas con OpenPGP desde servicios de Internet que lo soporten.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key ¡Al usar tecnologías de cifrado de extremo a extremo como OpenPGP, tu correo electrónico aún tendrá algunos metadatos que no son encriptados en el encabezado, por lo general incluyendo la línea del asunto! Lee más sobre los [metadatos de correo electrónico](basics/email-security.md#email-metadata-overview). -OpenPGP tampoco soporta Forward secrecy, lo que significa que si tu clave privada o la del destinatario es robada, todos los mensajes cifrados previamente con esta, estarán expuestos. [¿Cómo protejo mis claves privadas?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP tampoco soporta Forward secrecy, lo que significa que si tu clave privad ![Logo Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** es un servicio de correo electrónico con un enfoque en privacidad, encriptación, seguridad, y la facilidad de uso. Ha estado en operación desde 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** es un servicio de correo electrónico con un enfoque en privacidad, encriptación, seguridad, y la facilidad de uso. Ha estado en operación desde 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Página Principal](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Servicio Onion" } @@ -81,9 +85,9 @@ OpenPGP tampoco soporta Forward secrecy, lo que significa que si tu clave privad -Las cuentas gratuitas tienen algunas limitaciones, como no poder buscar texto en el contenido, y no tener acceso a [Proton Mail Bridge](https://proton.me/mail/bridge), que es requerido para utilizar un [cliente recomendado de correo electrónico para escritorio](email-clients.md) (como Thunderbird). Cuentas pagas incluyen funciones como Proton Mail Bridge, almacenamiento adicional, y soporte para dominios personalizados. Una [carta de certificación](https://proton.me/blog/security-audit-all-proton-apps) fue proporcionada para las aplicaciones de Proton Mail el 9 de noviembre de 2021 por [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Cuentas pagas incluyen funciones como Proton Mail Bridge, almacenamiento adicional, y soporte para dominios personalizados. Si tienes el plan Proton Unlimited o cualquier plan Proton multiusuario, también obtienes [SimpleLogin](email-aliasing.md#simplelogin) Premium gratis. -Si tienes el plan Proton Unlimited o cualquier plan Proton multiusuario, también obtienes [SimpleLogin](email-aliasing.md#simplelogin) Premium gratis. +Una [carta de certificación](https://proton.me/blog/security-audit-all-proton-apps) fue proporcionada para las aplicaciones de Proton Mail el 9 de noviembre de 2021 por [Securitum](https://research.securitum.com). Proton Mail tiene informes de errores internos que **no** son compartidos con terceros. Esto se puede desactivar en la aplicación web: :gear: → **Todos los ajustes** → **Cuenta** → **Seguridad y privacidad** → **Privacidad y recolección de datos**. @@ -93,7 +97,7 @@ Suscriptores de pago de Proton Mail pueden utilizar su propio dominio con el ser #### :material-check:{ .pg-green } Métodos de pago privados -Proton Mail [acepta](https://proton.me/support/payment-options) dinero en efectivo por correo, además de tarjeta de crédito/débito estándar, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), y pagos por PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Seguridad de Cuenta @@ -109,7 +113,7 @@ Cierta información almacenada en [Proton Contacts](https://proton.me/support/pr Proton Mail ha [integrado la encriptación OpenPGP](https://proton.me/support/how-to-use-pgp) en su webmail. Los correos electrónicos a otras cuentas de Proton Mail se encriptan automáticamente, y la encriptación a direcciones que no sean de Proton Mail con una clave OpenPGP pueden ser habilitados fácilmente en la configuración de tu cuenta. Proton also supports automatic external key discovery with WKD. Esto significa que los correos electrónicos enviados a otros proveedores que utilicen WKD también se cifrarán automáticamente con OpenPGP, sin necesidad de intercambiar manualmente claves PGP públicas con tus contactos. Estas también te permiten [cifrar los mensajes enviados a cuentas no pertenecientes a Proton](https://proton.me/support/password-protected-emails), sin la necesidad de que el receptor utilice OpenPGP o se registre en Proton Mail. -Proton Mail también publica las direcciones públicas de las cuentas a través de HTTP desde su WKD. Esto permite las personas quienes no utilizan Proton Mail a encontrar fácilmente las claves OpenPGP de las cuentas de Proton Mail, para E2EE entre proveedores. Esto solo aplica para las direcciones de correo electrónico que terminen en uno de los dominios de Proton, como @proton.me. Si utilizas un dominio personalizado, debes [configurar WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) por separado. +Proton Mail también publica las direcciones públicas de las cuentas a través de HTTP desde su WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Cancelación de Cuenta @@ -117,17 +121,17 @@ Si tienes una cuenta de pago y tu factura [no esta paga](https://proton.me/suppo #### :material-information-outline:{ .pg-blue }: Funcionalidad Adicional -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail no ofrece la función de legado digital. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Logo de Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** es un servicio de correo electrónico centrado en ser seguro, sin publicidad, y alimentado de forma privada con energía 100% ecológica. Han estado en operación desde 2014. Mailbox.org tiene su sede en Berlín, Alemania. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Han estado en operación desde 2014. Mailbox.org tiene su sede en Berlín, Alemania. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Página Principal](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Política de Privacidad" } @@ -148,23 +152,23 @@ Mailbox.org te permite utilizar tu propio dominio y admite direcciones [catch-al #### :material-check:{ .pg-green } Métodos Privados de Pago -Mailbox.org no acepta criptomonedas debido a que su procesador de pagos BitPay suspendió sus operaciones en Alemania. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org no acepta criptomonedas debido a que su procesador de pagos BitPay suspendió sus operaciones en Alemania. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Seguridad de Cuenta -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. Puedes utilizar TOTP o una [YubiKey](https://en.wikipedia.org/wiki/YubiKey) a través de [YubiCloud](https://yubico.com/products/services-software/yubicloud). Estándares web como [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) aún no son soportados. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. Puedes utilizar TOTP o una [YubiKey](https://en.wikipedia.org/wiki/YubiKey) a través de [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Seguridad de Datos Mailbox.org permite encriptación del correo entrante usando su [buzón encriptado](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Nuevos mensajes que recibas se encriptaran inmediatamente con tu clave pública. -Sin embargo, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la plataforma de software utilizada por Mailbox.org, [no admite](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) el cifrado de su libreta de direcciones y calendario. Una [opción independiente](calendar.md) puede ser más apropiada para esa información. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Encriptación de Correo Electrónico Mailbox.org tiene [encriptación integrada](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) en su correo web, lo que simplifica el envío de mensajes a personas con claves públicas OpenPGP. También permiten [a destinatarios remotos descifrar un correo electrónico](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) en los servidores de Mailbox.org. Esta característica es útil cuando el destinatario remoto no tiene OpenPGP y no puede descifrar una copia del correo electrónico en su propio buzón de correo. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Esto permite que personas afuera de Mailbox.org encuentren fácilmente las claves OpenPGP de las cuentas de Mailbox.org, para E2EE entre proveedores. Esto solo aplica para las direcciones de correo electrónico que terminan en un dominio de Mailbox.org, como @mailbox.org. Si utilizas un dominio personalizado, debes [configurar WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) por separado. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Cancelación de Cuenta @@ -176,7 +180,7 @@ Puedes acceder a tu cuenta de Mailbox.org a través de IMAP/SMTP utilizando su [ Todas las cuentas incluyen almacenamiento limitado en la nube que [puede cifrarse](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org también ofrece el alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), que impone el cifrado TLS en la conexión entre servidores de correo; de lo contrario, el mensaje no se enviará en absoluto. Mailbox.org también admite [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) además de protocolos de acceso estándar como IMAP y POP3. -Mailbox.org tiene una función de legado digital para todos los planes. Puedes elegir si deseas que alguno de tus datos se transmita a los herederos, siempre que lo soliciten y aporten tu testamento. Alternativamente, puedes designar a una persona por su nombre y dirección. +Mailbox.org tiene una función de legado digital para todos los planes. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternativamente, puedes designar a una persona por su nombre y dirección. ## Más Proveedores @@ -195,7 +199,9 @@ Estos proveedores almacenan tus correos electrónicos con cifrado de cero-conoci ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (antes *Tutanota*) es un servicio de correo electrónico centrado en la seguridad y la privacidad mediante el uso de cifrado. Tuta lleva funcionando desde 2011 y tiene su sede en Hannover, Alemania. Free accounts start with 1 GB of storage. +**Tuta** (antes *Tutanota*) es un servicio de correo electrónico centrado en la seguridad y la privacidad mediante el uso de cifrado. Tuta lleva funcionando desde 2011 y tiene su sede en Hannover, Alemania. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Página Principal](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Política de Privacidad" } @@ -226,7 +232,7 @@ Las cuentas de pago de Tuta cuentan con 15 o 30 alias dependiendo del plan y ali #### :material-information-outline:{ .pg-blue } Métodos de pago privados -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Seguridad de Cuenta @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Seguridad de los datos -Tuta tiene [cifrado de acceso cero en reposo](https://tuta.com/support#what-encrypted) para tus correos, [contactos de la libreta de direcciones](https://tuta.com/support#encrypted-address-book) y [calendarios](https://tuta.com/support#calendar). Esto significa que sólo tú puedes leer los mensajes y otros datos almacenados en tu cuenta. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Esto significa que sólo tú puedes leer los mensajes y otros datos almacenados en tu cuenta. #### :material-information-outline:{ .pg-blue } Cifrado de correo electrónico @@ -248,8 +254,6 @@ Tuta [elimina las cuentas gratuitas inactivas](https://tuta.com/support#inactive Tuta ofrece una versión empresarial para [organizaciones sin fines de lucro](https://tuta.com/blog/secure-email-for-non-profit) de manera gratuita o con un importante descuento. -Tuta no ofrece una función de legado digital. - ## Correo de auto-alojamiento Los administradores de sistemas avanzados pueden plantearse crear su propio servidor de correo electrónico. Los servidores de correo requieren atención y un mantenimiento continuo para mantener la seguridad y la fiabilidad de la entrega del correo. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Consideramos que estas características son importantes para ofrecer un servicio **Mínimo para calificar:** -- Cifra los datos de las cuentas de correo electrónico en reposo con cifrado de acceso cero. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operaciones en infraestructura propia, es decir, no construidas sobre proveedores de servicios de correo electrónico de terceros. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Los nombres de dominio personalizados son importantes para los usuarios porque les permiten mantener su agencia del servicio, en caso de que éste se estropee o sea adquirido por otra empresa que no dé prioridad a la privacidad. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. -**Mejor caso:** +**Mejor Caso:** -- Cifra todos los datos de la cuenta (contactos, calendarios, etc.) en reposo con cifrado de acceso cero. -- Cifrado integrado de correo web E2EE/PGP proporcionado como una conveniencia. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Los usuarios de GnuPG pueden obtener una clave escribiendo: `gpg --locate-key usuario_ejemplo@ejemplo.com` -- Soporte para un buzón temporal para usuarios externos. Esto es útil cuando quieres enviar un correo electrónico encriptado, sin enviar una copia real a tu destinatario. Estos correos electrónicos suelen tener una vida útil limitada y luego se eliminan automáticamente. Tampoco requieren que el destinatario configure ninguna criptografía como OpenPGP. -- Disponibilidad de los servicios del proveedor de correo electrónico a través de un [ servicio onion](https://en.wikipedia.org/wiki/.onion). -- Soporte de [subdireccionamiento](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Los nombres de dominio personalizados son importantes para los usuarios porque les permiten mantener su agencia del servicio, en caso de que éste se estropee o sea adquirido por otra empresa que no dé prioridad a la privacidad. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Soporte para un buzón temporal para usuarios externos. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Estos correos electrónicos suelen tener una vida útil limitada y luego se eliminan automáticamente. Tampoco requieren que el destinatario configure ninguna criptografía como OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Los nombres de dominio personalizados son importantes para los usuarios porque les permiten mantener su agencia del servicio, en caso de que éste se estropee o sea adquirido por otra empresa que no dé prioridad a la privacidad. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacidad @@ -337,30 +342,30 @@ Preferimos que nuestros proveedores recomendados recojan la menor cantidad de da **Mínimo para Calificar:** -- Proteger la dirección IP del remitente, lo que puede implicar filtrarla para que no aparezca en el campo de cabecera `Recibido`. -- No requiere información personal identificable (PII) aparte de un nombre de usuario y una contraseña. -- Política de privacidad que cumple los requisitos definidos por el RGPD. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Mejor Caso:** -- Acepta [opciones de pago anónimas](advanced/payments.md) ([criptomonedas](cryptocurrency.md), efectivo, tarjetas regalo, etc.) -- Alojado en una jurisdicción con leyes de protección de la privacidad del correo electrónico estrictas. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Seguridad -Los servidores de correo electrónico manejan muchos datos sensibles. Esperamos que los proveedores adopten las mejores prácticas del sector para proteger a sus clientes. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. -**Mínimo para calificar:** +**Mínimo para Calificar:** -- Protección del correo web con 2FA, como TOTP. -- Cifrado de acceso cero, que se basa en el cifrado en reposo. El proveedor no disponga de las claves de descifrado de los datos que posee. Esto evita que un empleado deshonesto filtre datos a los que tiene acceso o que un adversario remoto divulgue datos que ha robado al obtener acceso no autorizado al servidor. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. El proveedor no disponga de las claves de descifrado de los datos que posee. Esto evita que un empleado deshonesto filtre datos a los que tiene acceso o que un adversario remoto divulgue datos que ha robado al obtener acceso no autorizado al servidor. - Compatible con [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - Sin errores o vulnerabilidades TLS al ser perfilado por herramientas como [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh) o [Qualys SSL Labs](https://ssllabs.com/ssltest); esto incluye errores relacionados con certificados y parámetros DH débiles, como los que llevaron a [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Una preferencia de suite de servidor (opcional en TLSv1.3) para suites de cifrado potentes que soporten forward secrecy y encriptación autenticada. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Una política válida [MTA-STS](https://tools.ietf.org/html/rfc8461) y [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Registros válidos de [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). - Registros válidos [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) y [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). -- Tenga un registro y una política adecuados de [DMARC](https://en.wikipedia.org/wiki/DMARC) o use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) para la autenticación. Si se utiliza la autenticación DMARC, la política debe establecerse en `rechazar` o `cuarentena`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Si se utiliza la autenticación DMARC, la política debe establecerse en `rechazar` o `cuarentena`. - Una preferencia de suite de servidor de TLS 1.2 o posterior y un plan para [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [Envío de SMTPS](https://en.wikipedia.org/wiki/SMTPS), suponiendo que se utiliza SMTP. - Estándares de seguridad del sitio web tales como: @@ -368,12 +373,12 @@ Los servidores de correo electrónico manejan muchos datos sensibles. Esperamos - [Integridad de subrecurso](https://en.wikipedia.org/wiki/Subresource_Integrity) si se cargan cosas desde dominios externos. - Debe admitir la visualización de [encabezados de mensaje](https://en.wikipedia.org/wiki/Email#Message_header), ya que es una característica forense crucial para determinar si un correo electrónico es un intento de phishing. -**Mejor caso:** +**Mejor Caso:** -- Soporte para autenticación de hardware, ej. U2F y [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F y [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [Registro de recursos de autorización de autoridad de certificación (CAA) de DNS](https://tools.ietf.org/html/rfc6844) además del soporte de DANE. -- Implementación de [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), que es útil para las personas que envían mensajes a listas de correo [RFC8617](https://tools.ietf.org/html/rfc8617). -- Auditorías de seguridad publicadas por una empresa externa de prestigio. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Programas de recompensa de errores y/o un proceso coordinado de divulgación de vulnerabilidades. - Estándares de seguridad del sitio web tales como: - [Política de seguridad de contenido (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Los servidores de correo electrónico manejan muchos datos sensibles. Esperamos ### Confianza -No confiarías tus finanzas a alguien con una identidad falsa, así que ¿por qué confiarle tus datos de Internet? Exigimos a nuestros proveedores recomendados que hagan pública su propiedad o liderazgo. También nos gustaría ver informes de transparencia frecuentes, especialmente en lo que se refiere a cómo se gestionan las solicitudes del gobierno. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Requerimos que nuestros proveedores recomendados sean públicos sobre su propiedad o liderazgo. También nos gustaría ver informes de transparencia frecuentes, especialmente en lo que se refiere a cómo se gestionan las solicitudes del gobierno. **Mínimo para Calificar:** @@ -393,24 +398,21 @@ No confiarías tus finanzas a alguien con una identidad falsa, así que ¿por qu ### Marketing -Con los proveedores de correo electrónico que recomendamos, nos gusta ver un marketing responsable. +With the email providers we recommend, we like to see responsible marketing. -**Mejor caso:** +**Mínimo para Calificar:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -No debe tener ningún tipo de marketing irresponsable, que puede incluir lo siguiente: - -- Reclamaciones de "cifrado irrompible" El cifrado debe usarse con la intención de que no sea secreto en el futuro cuando exista la tecnología para descifrarlo. -- Haciendo garantías de proteger el anonimato al 100%. Cuando alguien afirma que algo es 100% significa que no hay certeza de fracaso. Sabemos que las personas pueden desanonimizarse fácilmente de varias maneras, por ejemplo: - - - Reutilizar información personal (como cuentas de correo electrónico, seudónimos únicos, etc.) que ellos accesaron sin programas de anonimato (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Mejor Caso:** -- Documentación clara y fácil de leer para tareas como la configuración de 2FA, clientes de correo electrónico, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Funcionalidad Adicional -Aunque no son exactamente requisitos, hay algunos otros factores de conveniencia o privacidad que hemos analizado para determinar qué proveedores recomendar. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/es/os/android-overview.md b/i18n/es/os/android-overview.md index f0097f98..1fbc12bd 100644 --- a/i18n/es/os/android-overview.md +++ b/i18n/es/os/android-overview.md @@ -132,7 +132,7 @@ Si tienes una cuenta de Google sugerimos que te inscribas en el [Programa de Pro El Programa de Protección Avanzada proporciona una supervisión de amenazas mejorada y permite: -- Autenticación de dos factores más estricta; por ejemplo, [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **debe** utilizarse y se prohíbe el uso de [OTP por SMS](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) y [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Solo las aplicaciones de Google y de terceros verificadas pueden acceder a los datos de la cuenta - Escaneo de correos electrónicos inminentes en las cuentas de Gmail contra los intentos de [phishing](https://es.wikipedia.org/wiki/Phishing#T%C3%A9cnicas_de_phishing) - [Escaneo de navegador seguro](https://google.com/chrome/privacy/whitepaper.html#malware) más estricto con Google Chrome @@ -154,7 +154,9 @@ Si tienes un dispositivo EOL (end-of-life) incluido con Android 10 o superior y Todos los dispositivos con Google Play Services instalado automáticamente generan un [ID de publicidad](https://support.google.com/googleplay/android-developer/answer/6048248) usado para la publicidad dirigida. Deshabilite esta función para limitar los datos recopilados sobre usted. -En las distribuciones de Android con los [servicios de Google Play aislados](https://grapheneos.org/usage#sandboxed-google-play), ve a :gear: **Ajustes** → **Aplicaciones** → **Google Play aislado** → **Ajustes de Google** → **Anuncios**, y selecciona *Eliminar el ID de publicidad*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** En las distribuciones de Android con Google Play Services privilegiado (que incluye la instalación de stock en la mayoría de los dispositivos), el ajuste puede estar en una de varias ubicaciones. Revisa diff --git a/i18n/fa/basics/account-creation.md b/i18n/fa/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/fa/basics/account-creation.md +++ b/i18n/fa/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/fa/basics/email-security.md b/i18n/fa/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/fa/basics/email-security.md +++ b/i18n/fa/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/fa/email-aliasing.md b/i18n/fa/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/fa/email-aliasing.md +++ b/i18n/fa/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/fa/email-clients.md b/i18n/fa/email-clients.md index 8a85734a..a9f353d6 100644 --- a/i18n/fa/email-clients.md +++ b/i18n/fa/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/fa/email.md b/i18n/fa/email.md index fa491bec..7645fd87 100644 --- a/i18n/fa/email.md +++ b/i18n/fa/email.md @@ -22,19 +22,19 @@ global: برای هر چیز دیگری، ما انواع ارائه دهندگان ایمیل را بر اساس مدل‌های تجاری پایدار و ویژگی‌های امنیتی و حریم خصوصی توصیه می‌کنیم. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## سرویس‌های سازگار با OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. به عنوان مثال، یک کاربر Proton Mail می تواند یک پیام E2EE را به یک کاربر Mailbox.org ارسال کند، یا می توانید اعلان های رمزگذاری شده با OpenPGP را از سرویس های اینترنتی که از آن پشتیبانی می کنند دریافت کنید. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. به عنوان مثال، یک کاربر Proton Mail می تواند یک پیام E2EE را به یک کاربر Mailbox.org ارسال کند، یا می توانید اعلان های رمزگذاری شده با OpenPGP را از سرویس های اینترنتی که از آن پشتیبانی می کنند دریافت کنید.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** یک سرویس ایمیل با تمرکز بر حریم خصوصی، رمزگذاری، امنیت و سهولت استفاده است. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** یک سرویس ایمیل با تمرکز بر حریم خصوصی، رمزگذاری، امنیت و سهولت استفاده است. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -حساب‌های رایگان دارای محدودیت‌هایی هستند، مانند عدم امکان جستجوی متن اصلی و عدم دسترسی به [Proton Mail Bridge](https://proton.me/mail/bridge)، که برای استفاده از [نرم افزار ایمیل دسک‌تاپ (ویندوزی) توصیه‌شده](email-clients.md) لازم است (به عنوان مثال. Thunderbird). حساب‌های پولی شامل ویژگی‌هایی مانند Proton Mail Bridge، فضای ذخیره‌سازی اضافی و پشتیبانی از دامنه سفارشی است. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). حساب‌های پولی شامل ویژگی‌هایی مانند Proton Mail Bridge، فضای ذخیره‌سازی اضافی و پشتیبانی از دامنه سفارشی است. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green } روش های پرداخت خصوصی -Proton Mail پول نقد از طریق پست، کارت اعتباری/دبیت استاندارد، [Bitcoin](advanced/payments.md# other-coins-bitcoin-ethereum-etc) و پرداخت های PayPal را [می‌پذیرد](https://proton.me/support/payment-options). +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } امنیت حساب @@ -109,7 +113,7 @@ Proton Mail دارای [رمزگذاری بدون دسترسی](https://proton.m Proton Mail دارای [رمزگذاری OpenPGP یکپارچه](https://proton.me/support/how-to-use-pgp) در ایمیل خود است. ایمیل‌های سایر حساب‌های Proton Mail به‌طور خودکار رمزگذاری می‌شوند و رمزگذاری آدرس‌های ایمیل غیر پروتون با کلید OpenPGP به راحتی در تنظیمات حساب شما فعال می‌شود. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. این قابلیت به افرادی که از سرویس Proton Mail استفاده نمی‌کنند اجازه می‌دهد تا کلیدهای OpenPGP حساب‌های Proton Mail را برای رمزگذاری E2EE سرویس‌های دیگر به راحتی پیدا کنند. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } بستن حساب @@ -117,9 +121,7 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } عملکردهای دیگر -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail امکان به ارث بردن اطلاعات برای وراث را ندارد. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail امکان به ارث بردن اطلاعات برای وراث ر ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** یک سرویس ایمیل با تمرکز بر ایمن بودن، بدون آگهی و خصوصی بودن با مصرف انرژی 100% سازگار با محیط زیست است. آنها از سال 2014 شروع به کار کرده‌اند. Mailbox.org در برلین آلمان مستقر است. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. آنها از سال 2014 شروع به کار کرده‌اند. Mailbox.org در برلین آلمان مستقر است. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } روش های پرداخت خصوصی -به دلیل تعلیق پرداخت‌یار BitPay در آلمان، Mailbox.org هیچ ارز دیجیتالی را نمی‌پذیرد. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +به دلیل تعلیق پرداخت‌یار BitPay در آلمان، Mailbox.org هیچ ارز دیجیتالی را نمی‌پذیرد. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } امنیت حساب -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). استانداردهای وب مانند [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) هنوز پشتیبانی نمی‌شوند. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } امنیت داده Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). پیام های جدیدی که دریافت می‌کنید بلافاصله با کلید عمومی شما رمزگذاری می‌شوند. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } رمزگذاری ایمیل Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. این ویژگی زمانی مفید است که گیرنده امکان استفاده از OpenPGP را ندارد و نمی تواند یک کپی از ایمیل را در صندوق پستی خود رمزگشایی کند. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. این قابلیت به افرادی که از سرویس Mailbox.org استفاده نمی‌کنند اجازه می‌دهد تا کلیدهای OpenPGP حساب‌های Mailbox.org را برای رمزگذاری E2EE سرویس‌های دیگر به راحتی پیدا کنند. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } بستن حساب @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org همچنین از [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) علاوه بر پروتکل‌های دسترسی استاندارد مانند IMAP و POP3 پشتیبانی می‌کند. -Mailbox.org امکان به ارث بردن اطلاعات برای همه طرح‌هایش را دارد. می‌توانید انتخاب کنید که آیا می‌خواهید کدام یک از داده‌هایتان به وراث داده شود، مشروط بر اینکه آنها درخواست دهند و وصیت شما را ارائه دهند. همچنین می‌توانید فردی را با نام و آدرس معرفی کنید. +Mailbox.org امکان به ارث بردن اطلاعات برای همه طرح‌هایش را دارد. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. همچنین می‌توانید فردی را با نام و آدرس معرفی کنید. ## سرویس دهندگان بیشتر @@ -195,7 +199,9 @@ Mailbox.org امکان به ارث بردن اطلاعات برای همه طر ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } روش های پرداخت خصوصی -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } امنیت حساب @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } امنیت داده -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). این بدان معناست که پیام ها و سایر داده های ذخیره شده در حساب شما فقط توسط شما قابل خواندن است. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). این بدان معناست که پیام ها و سایر داده های ذخیره شده در حساب شما فقط توسط شما قابل خواندن است. #### :material-information-outline:{ .pg-blue } رمزگذاری ایمیل @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## خودمیزبانی ایمیل (Self-Hosting) ادمین‌های سیستم پیشرفته ممکن است راه اندازی سرور ایمیل خود را در نظر بگیرند. سرورهای ایمیل برای ایمن نگه داشتن چیزها و قابل اعتماد بودن تحویل ایمیل نیاز به توجه و نگهداری مداوم دارند. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **حداقل شرایط صلاحیت:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. -**بهترین شرایط:** +**Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### حریم خصوصی @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -368,12 +373,12 @@ Email servers deal with a lot of very sensitive data. We expect that providers w - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. - Must support viewing of [message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. -**بهترین شرایط:** +**Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,13 +386,13 @@ Email servers deal with a lot of very sensitive data. We expect that providers w ### اعتماد -شما به شخصی با هویت تقلبی برای امور مالی اعتماد نمی‌کنید، پس چرا با ایمیل‌تان به آنها اعتماد کنید؟ ما از ارائه‌دهندگانی که توصیه می‌کنیم می‌خواهیم که درباره مالکیت یا رهبری خود به صورت عمومی اطلاع رسانی کنند. همچنین، ما علاقه‌مندیم که گزارش‌های شفافیت متناوب ببینیم، به ویژه در ارتباط با روش برخورد با درخواست‌های دولتی. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. **Minimum to Qualify:** - رهبری یا مالکیت قابل رویت توسط عموم. -**بهترین شرایط:** +**Best Case:** - گزارش‌های شفافیت متناوب. @@ -395,22 +400,19 @@ Email servers deal with a lot of very sensitive data. We expect that providers w With the email providers we recommend, we like to see responsible marketing. -**حداقل شرایط صلاحیت:** +**Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### قابلیت‌های اضافی -با اینکه این موارد الزامی نیستند، اما در انتخاب ارائه‌دهندگانی که توصیه ‌می‌کنیم، به عواملی مانند راحتی و حفظ حریم خصوصی نیز توجه می‌کنیم. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/fa/os/android-overview.md b/i18n/fa/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/fa/os/android-overview.md +++ b/i18n/fa/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/fr/basics/account-creation.md b/i18n/fr/basics/account-creation.md index 8250c7de..1af38b01 100644 --- a/i18n/fr/basics/account-creation.md +++ b/i18n/fr/basics/account-creation.md @@ -42,7 +42,7 @@ Vous serez responsable de la gestion de vos identifiants de connexion. Pour plus #### Alias d'e-mail -Si vous ne voulez pas donner votre véritable adresse e-mail à un service, vous avez la possibilité d'utiliser un alias. Nous les avons décrits plus en détail sur notre page de recommandation des services d'e-mail. Essentiellement, les services d'alias vous permettent de créer de nouvelles adresses e-mail qui transmettent tous les courriers à votre adresse principale. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Ceux-ci peuvent être filtrés automatiquement en fonction de l'alias auquel ils sont envoyés. +Si vous ne voulez pas donner votre véritable adresse e-mail à un service, vous avez la possibilité d'utiliser un alias. We describe them in more detail on our email services recommendation page. Essentiellement, les services d'alias vous permettent de créer de nouvelles adresses e-mail qui transmettent tous les courriers à votre adresse principale. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Ceux-ci peuvent être filtrés automatiquement en fonction de l'alias auquel ils sont envoyés. Si un service est piraté, vous pouvez commencer à recevoir des e-mails d'hameçonnage ou de spam à l'adresse que vous avez utilisée pour vous inscrire. L'utilisation d'alias uniques pour chaque service peut aider à identifier exactement quel service a été piraté. @@ -50,19 +50,19 @@ Si un service est piraté, vous pouvez commencer à recevoir des e-mails d'hame ### "Se connecter avec..." (OAuth) -OAuth est un protocole d'authentification qui vous permet de vous inscrire à un service sans partager beaucoup d'informations avec le fournisseur de services, le cas échéant, en utilisant un compte existant que vous avez avec un autre service à la place. Chaque fois que vous voyez quelque chose du type "Se connecter avec *nom du fournisseur*" sur un formulaire d'inscription, c'est généralement qu'il utilise OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Chaque fois que vous voyez quelque chose du type "Se connecter avec *nom du fournisseur*" sur un formulaire d'inscription, c'est généralement qu'il utilise OAuth. Lorsque vous vous connectez avec OAuth, une page de connexion s'ouvre avec le fournisseur que vous avez choisi, et votre compte existant et votre nouveau compte seront connectés. Votre mot de passe ne sera pas communiqué, mais certaines informations de base le seront généralement (vous pouvez les consulter lors de la demande de connexion). Ce processus est nécessaire chaque fois que vous voulez vous connecter au même compte. Les principaux avantages sont les suivants : -- **Sécurité** : vous n'avez pas à vous fier aux pratiques de sécurité du service auquel vous vous connectez lorsqu'il s'agit de stocker vos identifiants de connexion, car ils sont stockés chez le fournisseur OAuth externe, qui, lorsqu'il s'agit de services comme Apple et Google, suit généralement les meilleures pratiques de sécurité, audite en permanence ses systèmes d'authentification et ne stocke pas les identifiants de manière inappropriée (par exemple en texte clair). -- **Facilité d'utilisation** : plusieurs comptes sont gérés par un seul login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Mais il y a des inconvénients : -- **Vie privée** : le fournisseur OAuth avec lequel vous vous connectez connaîtra les services que vous utilisez. -- **Centralisation** : si le compte que vous utilisez pour OAuth est compromis ou si vous n'êtes pas en mesure de vous y connecter, tous les autres comptes qui y sont connectés sont affectés. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. L'OAuth peut être particulièrement utile dans les situations où vous pourriez bénéficier d'une intégration plus poussée entre les services. Nous recommandons de limiter l'utilisation d'OAuth aux seuls cas où vous en avez besoin et de toujours protéger le compte principal à l'aide de [MFA](multi-factor-authentication.md). diff --git a/i18n/fr/basics/email-security.md b/i18n/fr/basics/email-security.md index 7ddebbac..78f155ce 100644 --- a/i18n/fr/basics/email-security.md +++ b/i18n/fr/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -L'e-mail est une forme de communication non sécurisée par défaut. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +L'e-mail est une forme de communication non sécurisée par défaut. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Par conséquent, il est préférable d'utiliser l'e-mail pour recevoir des e-mails transactionnels (notifications, e-mails de vérification, réinitialisation de mot de passe, etc.) provenant des services auxquels vous vous inscrivez en ligne, et non pour communiquer avec d'autres personnes. ## Aperçu du chiffrement des e-mails -La méthode standard pour ajouter du E2EE aux e-mails entre différents fournisseurs d'e-mails est d'utiliser OpenPGP. Il existe différentes implémentations de la norme OpenPGP, les plus courantes étant [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) et [OpenPGP.js](https://openpgpjs.org). +La méthode standard pour ajouter du E2EE aux e-mails entre différents fournisseurs d'e-mails est d'utiliser OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Même si vous utilisez OpenPGP, il ne prend pas en charge la [confidentialité persistante](https://en.wikipedia.org/wiki/Forward_secrecy), ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec cette clé seront exposés. C'est pourquoi nous recommandons, dans la mesure du possible, les [messageries instantanées](../real-time-communication.md) qui mettent en œuvre la confidentialité persistante par rapport aux e-mails pour les communications de personne à personne. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. C'est pourquoi nous recommandons, dans la mesure du possible, les [messageries instantanées](../real-time-communication.md) qui mettent en œuvre la confidentialité persistante par rapport aux e-mails pour les communications de personne à personne. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Qu'est-ce que la norme Web Key Directory ? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email Outre les [clients d'e-mail que nous recommandons](../email-clients.md) et qui prennent en charge le WKD, certains fournisseurs d'e-mail avec interface web prennent également en charge le WKD. Le fait que *votre propre clé* soit publiée sur le WKD pour que d'autres puissent l'utiliser dépend de la configuration de votre domaine. Si vous utilisez un [fournisseur d'e-mail](../email.md#openpgp-compatible-services) qui prend en charge le WKD, tel que Proton Mail ou Mailbox.org, il peut publier votre clé OpenPGP sur son domaine pour vous. -Si vous utilisez votre propre domaine personnalisé, vous devrez configurer le WKD séparément. Si vous contrôlez votre nom de domaine, vous pouvez configurer le WKD quel que soit votre fournisseur d'e-mail. Une façon simple de le faire est d'utiliser la fonction "[WKD en tant que Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" de keys.openpgp.org, en définissant un enregistrement CNAME sur le sous-domaine `openpgpkey` de votre domaine pointé vers `wkd.keys.openpgp.org`, puis en envoyant votre clé sur [keys.openpgp.org](https://keys.openpgp.org). Vous pouvez également [héberger vous-même le WKD sur votre propre serveur web](https://wiki.gnupg.org/WKDHosting). +Si vous utilisez votre propre domaine personnalisé, vous devrez configurer le WKD séparément. Si vous contrôlez votre nom de domaine, vous pouvez configurer le WKD quel que soit votre fournisseur d'e-mail. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Vous pouvez également [héberger vous-même le WKD sur votre propre serveur web](https://wiki.gnupg.org/WKDHosting). -Si vous utilisez un domaine partagé d'un fournisseur qui ne prend pas en charge le WKD, comme @gmail.com, vous ne pourrez pas partager votre clé OpenPGP avec d'autres personnes via cette méthode. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Quels clients d'e-mail supportent le E2EE ? -Les fournisseurs d'e-mail qui vous permettent d'utiliser les protocoles d'accès standard comme IMAP et SMTP peuvent être utilisés avec n'importe lequel des [clients d'e-mail que nous recommandons](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Les fournisseurs d'e-mail qui vous permettent d'utiliser les protocoles d'accès standard comme IMAP et SMTP peuvent être utilisés avec n'importe lequel des [clients d'e-mail que nous recommandons](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Comment puis-je protéger mes clés privées ? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Aperçu des métadonnées des e-mails -Les métadonnées des e-mails sont stockées dans [l'en-tête de message](https://en.wikipedia.org/wiki/Email#Message_header) de l'e-mail et comprennent certains en-têtes visibles que vous avez peut-être vus, tels que : `À`, `De`, `Cc`, `Date`, `Sujet`. Il existe également un certain nombre d'en-têtes cachés inclus par de nombreux clients et fournisseurs d'e-mail qui peuvent révéler des informations sur votre compte. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Il existe également un certain nombre d'en-têtes cachés inclus par de nombreux clients et fournisseurs d'e-mail qui peuvent révéler des informations sur votre compte. Le logiciel client peut utiliser les métadonnées de l'e-mail pour montrer de qui provient un message et à quelle heure il a été reçu. Les serveurs peuvent l'utiliser pour déterminer où un e-mail doit être envoyé, parmi [d'autres objectifs](https://en.wikipedia.org/wiki/Email#Message_header) qui ne sont pas toujours transparents. ### Qui peut voir les métadonnées des e-mails ? -Les métadonnées des emails sont protégées des observateurs extérieurs par le protocole [TLS Opportuniste](https://en.wikipedia.org/wiki/Opportunistic_TLS). Elles peuvent néanmoins être vues par votre logiciel client e-mail (ou interface d'e-mail web) et par tout serveur relayant le message de votre part à ses destinataires, y compris votre fournisseur d'e-mail. Parfois, les serveurs d'e-mail font également appel à des services tiers pour se protéger des spams, qui ont généralement aussi accès à vos messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Parfois, les serveurs d'e-mail font également appel à des services tiers pour se protéger des spams, qui ont généralement aussi accès à vos messages. ### Pourquoi les métadonnées ne peuvent-elles pas être E2EE? -Les métadonnées des e-mails sont essentielles à la fonctionnalité la plus élémentaire d'un e-mail (d'où il vient et où il doit aller). À l'origine, le E2EE n'était pas intégré dans les protocoles d'e-mails, mais nécessitait un logiciel complémentaire comme OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Les métadonnées des e-mails sont essentielles à la fonctionnalité la plus élémentaire d'un e-mail (d'où il vient et où il doit aller). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/fr/email-aliasing.md b/i18n/fr/email-aliasing.md index 57dcf36a..2735fb4f 100644 --- a/i18n/fr/email-aliasing.md +++ b/i18n/fr/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. Les alias que vous générez sont ensuite transférés vers une adresse électronique de votre choix, masquant ainsi votre adresse électronique "principale" et l'identité de votre [fournisseur d'adresses électroniques](email.md). Un véritable alias d'adresse électronique est préférable à l'adressage plus couramment utilisé et pris en charge par de nombreux fournisseurs, qui vous permet de créer des alias du type "nom de famille+[n'importe où]@exemple.com", parce que les sites web, les annonceurs et les réseaux de suivi peuvent trivialement supprimer tout ce qui se trouve après le signe `+`. Des organisations telles que l'[IAB] (https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) exigent que les annonceurs [normalisent les adresses électroniques] (https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) afin qu'elles puissent être corrélées et suivies, sans tenir compte des souhaits des utilisateurs en matière de protection de la vie privée. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. Les alias que vous générez sont ensuite transférés vers une adresse électronique de votre choix, masquant ainsi votre adresse électronique "principale" et l'identité de votre [fournisseur d'adresses électroniques](email.md). + +L'alias d'e-mail peut également servir de protection au cas où votre fournisseur E-Mail cesserait ses activités. Dans ce cas, vous pouvez facilement rediriger vos alias vers une nouvelle adresse e-mail. En revanche, vous faites confiance au service d'alias pour qu'il continue de fonctionner. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +Un véritable alias d'adresse électronique est préférable à l'adressage plus couramment utilisé et pris en charge par de nombreux fournisseurs, qui vous permet de créer des alias du type "nom de famille+[n'importe où]@exemple.com", parce que les sites web, les annonceurs et les réseaux de suivi peuvent trivialement supprimer tout ce qui se trouve après le signe `+`. Des organisations telles que l'[IAB] (https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) exigent que les annonceurs [normalisent les adresses électroniques] (https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) afin qu'elles puissent être corrélées et suivies, sans tenir compte des souhaits des utilisateurs en matière de protection de la vie privée. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Les alias peuvent être activés et désactivés individuellement lorsque vous en avez besoin, ce qui empêche les sites web de vous envoyer des courriels au hasard. +- Les réponses sont envoyées à partir de l'adresse alias, masquant ainsi votre véritable adresse électronique. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Les alias sont permanents et peuvent être réactivés si vous devez recevoir quelque chose comme une réinitialisation de mot de passe. +- Les courriels sont envoyés à votre boîte aux lettres électronique de confiance plutôt que d'être stockés par le fournisseur d'alias. +- Les services de messagerie temporaire proposent généralement des boîtes aux lettres publiques accessibles à toute personne connaissant l'adresse, alors que les alias sont privés. + +## Fournisseurs recommandés
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-L'alias d'e-mail peut également servir de protection au cas où votre fournisseur E-Mail cesserait ses activités. Dans ce cas, vous pouvez facilement rediriger vos alias vers une nouvelle adresse e-mail. En revanche, vous faites confiance au service d'alias pour qu'il continue de fonctionner. - -L'utilisation d'un service d'alias d'e-mail dédié présente également un certain nombre d'avantages par rapport à un alias fourre-tout sur un domaine personnalisé : - -- Les alias peuvent être activés et désactivés individuellement lorsque vous en avez besoin, ce qui empêche les sites web de vous envoyer des courriels au hasard. -- Les réponses sont envoyées à partir de l'adresse alias, masquant ainsi votre véritable adresse électronique. - -Ils présentent également un certain nombre d'avantages par rapport aux services de "courrier électronique temporaire" : - -- Les alias sont permanents et peuvent être réactivés si vous devez recevoir quelque chose comme une réinitialisation de mot de passe. -- Les courriels sont envoyés à votre boîte aux lettres électronique de confiance plutôt que d'être stockés par le fournisseur d'alias. -- Les services de messagerie temporaire proposent généralement des boîtes aux lettres publiques accessibles à toute personne connaissant l'adresse, alors que les alias sont privés. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. Ils peuvent également être auto-hébergés si vous souhaitez un contrôle maximal. Toutefois, l'utilisation d'un domaine personnalisé peut présenter des inconvénients en matière de protection de la vie privée : Si vous êtes la seule personne à utiliser votre domaine personnalisé, vos actions peuvent être facilement suivies sur les sites web simplement en regardant le nom de domaine dans l'adresse électronique et en ignorant tout ce qui se trouve avant le signe at (@). +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. Ils peuvent également être auto-hébergés si vous souhaitez un contrôle maximal. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. L'utilisation d'un service d'alias nécessite de faire confiance à la fois à votre fournisseur de courrier électronique et à votre fournisseur d'alias pour vos messages non cryptés. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ L'utilisation d'un service d'alias nécessite de faire confiance à la fois à v ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Téléchargements -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -Vous pouvez créer un nombre illimité d'alias standard qui se terminent par un domaine comme @[nom d'utilisateur].addy.io ou un domaine personnalisé sur les plans payants. Toutefois, comme indiqué précédemment, cela peut nuire à la protection de la vie privée, car les gens peuvent facilement relier vos alias standard en se basant uniquement sur le nom de domaine. Ils sont utiles lorsqu'un domaine partagé peut être bloqué par un service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. Toutefois, comme indiqué précédemment, cela peut nuire à la protection de la vie privée, car les gens peuvent facilement relier vos alias standard en se basant uniquement sur le nom de domaine. Ils sont utiles lorsqu'un domaine partagé peut être bloqué par un service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Fonctionnalités gratuites notables : @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin a été [racheté par Proton AG] (https://proton.me/news/proton-and-simplelogin-join-forces) le 8 avril 2022. Si vous utilisez Proton Mail pour votre boîte mail principale, SimpleLogin est un excellent choix. Les deux produits étant désormais détenus par la même société, vous ne devez plus faire confiance qu'à une seule entité. Nous supposons également que SimpleLogin sera plus étroitement intégré aux offres de Proton à l'avenir. SimpleLogin continue de prendre en charge la redirection vers le fournisseur d'e-mail de votre choix. Securitum a [audité](https://simplelogin.io/blog/security-audit) SimpleLogin au début de 2022 et tous les problèmes [ont été résolus](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin a été [racheté par Proton AG] (https://proton.me/news/proton-and-simplelogin-join-forces) le 8 avril 2022. Si vous utilisez Proton Mail pour votre boîte mail principale, SimpleLogin est un excellent choix. Les deux produits étant désormais détenus par la même société, vous ne devez plus faire confiance qu'à une seule entité. Nous supposons également que SimpleLogin sera plus étroitement intégré aux offres de Proton à l'avenir. SimpleLogin continue de prendre en charge la redirection vers le fournisseur d'e-mail de votre choix. -Vous pouvez lier votre compte SimpleLogin dans les paramètres avec votre compte Proton. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +Vous pouvez lier votre compte SimpleLogin dans les paramètres avec votre compte Proton. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum a [audité](https://simplelogin.io/blog/security-audit) SimpleLogin au début de 2022 et tous les problèmes [ont été résolus](https://simplelogin.io/audit2022/web.pdf). Fonctionnalités gratuites notables : @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Critères -\*\*En plus de [nos critères standards] (about/criteria.md), nous évaluons les fournisseurs d'alias d'email selon les mêmes critères que nos [critères pour les fournisseurs d'email] (email.md#criteria), le cas échéant. Nous vous conseillons de vous familiariser avec cette liste avant de choisir un service de courrier électronique et de mener vos propres recherches pour vous assurer que le fournisseur que vous choisissez est celui qui vous convient le mieux. +\*\*En plus de [nos critères standards] (about/criteria.md), nous évaluons les fournisseurs d'alias d'email selon les mêmes critères que nos [critères pour les fournisseurs d'email] (email.md#criteria), le cas échéant. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/fr/email-clients.md b/i18n/fr/email-clients.md index e7ad0cc8..ab992138 100644 --- a/i18n/fr/email-clients.md +++ b/i18n/fr/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Fournisseurs de service](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Attaques ciblées](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
L'e-mail n'assure pas la confidentialité persistante diff --git a/i18n/fr/email.md b/i18n/fr/email.md index 8a5fdde2..de82d2c9 100644 --- a/i18n/fr/email.md +++ b/i18n/fr/email.md @@ -22,19 +22,19 @@ L'e-mail est pratiquement une nécessité pour utiliser n'importe quel service e Pour tout le reste, nous recommandons une variété de fournisseurs d'email en fonction de la viabilité de leur modèle économique et de leurs fonctions intégrées de sécurité et de confidentialité. Lisez notre \[liste complète de critères\](#criteres) pour plus d'informations. -| Fournisseur | OpenPGP / WKD | IMAP / SMTP | Chiffrement zéro accès | Paiements anonymes | -| --------------------------- | -------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------ | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Abonnements payants uniquement | :material-check:{ .pg-green } | Argent liquide | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } E-mails seulement | Argent liquide | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & argent liquide via un tiers | +| Fournisseur | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Abonnements payants uniquement | :material-check:{ .pg-green } | Argent liquide | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } E-mails seulement | Argent liquide | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -En plus (ou à la place) d'un fournisseur de courrier électronique recommandé ici, vous pouvez envisager un [service d'alias de courrier électronique](email-aliasing.md) dédié pour protéger votre vie privée. Ces services permettent notamment de protéger votre boîte de réception réelle contre le spam, d'empêcher les spécialistes du marketing d'établir une corrélation entre vos comptes et de crypter tous les messages entrants à l'aide de PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Ces services permettent notamment de protéger votre boîte de réception réelle contre le spam, d'empêcher les spécialistes du marketing d'établir une corrélation entre vos comptes et de crypter tous les messages entrants à l'aide de PGP. - [En savoir plus :material-arrow-right-drop-circle:](email-aliasing.md) ## Services compatibles avec OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Par exemple, un utilisateur de Proton Mail peut envoyer un message E2EE à un utilisateur de Mailbox.org, ou vous pouvez recevoir des notifications chiffrées par OpenPGP de la part de services internet qui le supportent. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Par exemple, un utilisateur de Proton Mail peut envoyer un message E2EE à un utilisateur de Mailbox.org, ou vous pouvez recevoir des notifications chiffrées par OpenPGP de la part de services internet qui le supportent.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Lors de l'utilisation d'une technologie E2EE telle que OpenPGP, votre e-mail contiendra toujours certaines métadonnées non chiffrées dans l'en-tête, y compris généralement la ligne d'objet ! En savoir plus sur les [métadonnées des e-mails](basics/email-security.md#email-metadata-overview). -OpenPGP ne prend pas non plus en charge la confidentialité persistante, ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec elle seront exposés. [Comment protéger mes clés privées ?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP ne prend pas non plus en charge la confidentialité persistante, ce qui ![Logo Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** est un service d'e-mail qui met l'accent sur la confidentialité, le chiffrement, la sécurité et la facilité d'utilisation. Ils sont en activité depuis 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** est un service d'e-mail qui met l'accent sur la confidentialité, le chiffrement, la sécurité et la facilité d'utilisation. Ils sont en activité depuis 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP ne prend pas non plus en charge la confidentialité persistante, ce qui -Les comptes gratuits présentent certaines limitations, comme le fait de ne pas pouvoir effectuer de recherche dans le corps du texte et de ne pas avoir accès à [Proton Mail Bridge](https://proton.me/mail/bridge), qui est nécessaire pour utiliser un [client d'e-mail de bureau recommandé](email-clients.md) (par exemple Thunderbird). Les comptes payants comprennent des fonctionnalités telles que Proton Mail Bridge, un espace de stockage supplémentaire et la prise en charge de domaines personnalisés. Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton Mail le 9 novembre 2021 par [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Les comptes payants comprennent des fonctionnalités telles que Proton Mail Bridge, un espace de stockage supplémentaire et la prise en charge de domaines personnalisés. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton Mail le 9 novembre 2021 par [Securitum](https://research.securitum.com). Proton Mail dispose de rapports de plantages internes qu'il **ne partage pas** avec des tiers. Ils peuvent être désactivés dans l'application web : :gear: → **Tous les paramètres** → **Compte** → **Sécurité et vie privée** → **Vie privée et collecte de données**. @@ -93,7 +97,7 @@ Les abonnés payants à Proton Mail peuvent utiliser leur propre domaine avec le #### :material-check:{ .pg-green } Modes de paiement privés -Proton Mail [accepte](https://proton.me/support/payment-options) les paiements en espèces par courrier, ainsi que les paiements par carte de crédit/débit, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)et PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Sécurité du compte @@ -109,7 +113,7 @@ Certaines informations stockées dans [Proton Contacts](https://proton.me/suppor Proton Mail a [du chiffrement OpenPGP intégré](https://proton.me/support/how-to-use-pgp) dans son interface d'e-mail web. Les e-mails destinés à d'autres comptes Proton Mail sont chiffrés automatiquement, et le chiffrement vers des adresses autres que Proton Mail avec une clé OpenPGP peut être activé facilement dans les paramètres de votre compte. Proton also supports automatic external key discovery with WKD. Cela signifie que les e-mails envoyés à d'autres fournisseurs qui utilisent WKD seront automatiquement chiffrés avec OpenPGP, sans qu'il soit nécessaire d'échanger manuellement des clés PGP publiques avec vos contacts. Ils vous permettent également de [chiffrer des messages destinés à des adresses non Proton Mail sans OpenPGP](https://proton.me/support/password-protected-emails), sans qu'ils aient besoin de s'inscrire à un compte Proton Mail. -Proton Mail publie également les clés publiques des comptes Proton via HTTP à partir de leur WKD. Cela permet aux personnes qui n'utilisent pas Proton Mail de trouver facilement les clés OpenPGP des comptes Proton Mail, pour un E2EE inter-fournisseurs. Cela ne s'applique qu'aux adresses e-mails se terminant par un domaine Proton, comme @proton.me. Si vous utilisez un domaine personnalisé, vous devez [configurer le WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) séparément. +Proton Mail publie également les clés publiques des comptes Proton via HTTP à partir de leur WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Résiliation du compte @@ -117,17 +121,17 @@ Si vous avez un compte payant et que votre [facture est impayée](https://proton #### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail ne propose pas de fonction d'héritage numérique. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Logo de Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** est un service d'e-mail qui se veut sécurisé, sans publicité et alimenté par une énergie 100% écologique. Il est en activité depuis 2014. Mailbox.org est basé à Berlin, en Allemagne. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Il est en activité depuis 2014. Mailbox.org est basé à Berlin, en Allemagne. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org vous permet d'utiliser votre propre domaine et prend en charge les a #### :material-check:{ .pg-green } Modes de paiement privés -Mailbox.org n'accepte aucune crypto-monnaie en raison de la suspension des activités de son processeur de paiement BitPay en Allemagne. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org n'accepte aucune crypto-monnaie en raison de la suspension des activités de son processeur de paiement BitPay en Allemagne. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Sécurité du compte -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. Vous pouvez utiliser TOTP ou une [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via [YubiCloud](https://yubico.com/products/services-software/yubicloud). Les normes web telles que [WebAuthn](https://fr.wikipedia.org/wiki/WebAuthn) ne sont pas encore prises en charge. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. Vous pouvez utiliser TOTP ou une [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Sécurité des données Mailbox.org permet le chiffrement des e-mails entrant à l'aide de sa [boîte e-mails chiffrée](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Les nouveaux messages que vous recevrez seront alors immédiatement chiffrés avec votre clé publique. -Cependant, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la plateforme logicielle utilisée par Mailbox.org, [ne prend pas en charge](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) le chiffrement de votre carnet d'adresses et de votre calendrier. Une [option tierce](calendar.md) pourrait être plus appropriée pour ces informations. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Chiffrement des e-mails Mailbox.org a [du chiffrement intégré](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) dans son interface d'e-mail web, ce qui simplifie l'envoi de messages à des personnes possédant des clés OpenPGP publiques. Ils permettent également aux [destinataires distants de déchiffrer un e-mail](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) sur les serveurs de Mailbox.org. Cette fonction est utile lorsque le destinataire distant ne dispose pas d'OpenPGP et ne peut pas déchiffrer une copie de l'e-mail dans sa propre boîte mail. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Cela permet aux personnes extérieures à Mailbox.org de trouver facilement les clés OpenPGP des comptes Mailbox.org, pour un E2EE inter-fournisseurs. Cela ne s'applique qu'aux adresses e-mails se terminant par un domaine Mailbox, comme @mailbox.org. Si vous utilisez un domaine personnalisé, vous devez [configurer le WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) séparément. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Résiliation du compte @@ -176,7 +180,7 @@ Vous pouvez accéder à votre compte Mailbox.org via IMAP/SMTP en utilisant leur Tous les comptes sont assortis d'un espace de stockage cloud limité, qui [peut être chiffré](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org propose également l'alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), qui applique le chiffrement TLS à la connexion entre les serveurs d'e-mail, faute de quoi le message ne sera pas envoyé. Mailbox.org prend également en charge [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) en plus des protocoles d'accès standard comme IMAP et POP3. -Mailbox.org dispose d'une fonction d'héritage numérique pour toutes les offres. Vous pouvez choisir de transmettre certaines de vos données à vos héritiers, à condition d'en faire la demande et de fournir votre testament. Vous pouvez également désigner une personne par son nom et son adresse. +Mailbox.org dispose d'une fonction d'héritage numérique pour toutes les offres. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Vous pouvez également désigner une personne par son nom et son adresse. ## D'autres fournisseurs @@ -195,7 +199,9 @@ Ces fournisseurs stockent vos e-mails avec un chiffrement à connaissance zéro, ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta est en activité depuis 2011 et est basée à Hanovre, en Allemagne. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta est en activité depuis 2011 et est basée à Hanovre, en Allemagne. + +Les comptes gratuits commencent avec 1 Go de stockage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Les comptes Tuta payants peuvent utiliser 15 ou 30 alias en fonction de leur abo #### :material-information-outline:{ .pg-blue } Modes de paiement privés -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Sécurité du compte @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Sécurité des données -Tuta dispose d'un [chiffrement à accès zéro au repos](https://tuta.com/support#what-encrypted) pour vos e-mails, votre [carnet d'adresses, vos contacts](https://tuta.com/support#encrypted-address-book) et vos [calendriers](https://tuta.com/support#calendar). Cela signifie que les messages et autres données stockés dans votre compte ne sont lisibles que par vous. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Cela signifie que les messages et autres données stockés dans votre compte ne sont lisibles que par vous. #### :material-information-outline:{ .pg-blue } Chiffrement des e-mails @@ -248,8 +254,6 @@ Tuta supprimera [les comptes gratuits inactifs](https://tuta.com/support#inactiv Tuta offre la version professionnelle de [Tuta aux organisations à but non lucratif](https://tuta.com/blog/secure-email-for-non-profit) gratuitement ou avec une forte réduction. -Tuta ne propose pas de fonction d'héritage numérique. - ## E-mail auto-hébergé Les administrateurs système peuvent envisager de mettre en place leur propre serveur d'e-mail. Les serveurs d'e-mail requièrent une attention et une maintenance permanente afin de garantir la sécurité et la fiabilité de la distribution des e-mails. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Nous considérons ces caractéristiques comme importantes afin de fournir un ser **Minimum pour se qualifier :** -- Chiffre les données du compte e-mail au repos avec un chiffrement à accès zéro. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Fonctionne sur sa propre infrastructure, c'est-à-dire qu'elle ne repose pas sur des fournisseurs de services d'e-mail tiers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Les noms de domaine personnalisés sont importants pour les utilisateurs car ils leur permettent de conserver leur indépendance du service, au cas où celui-ci tournerait mal ou serait racheté par une autre société qui ne donne pas priorité à la vie privée. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Dans le meilleur des cas :** -- Chiffre toutes les données du compte (contacts, calendriers, etc.) au repos avec un chiffrement à accès zéro. -- Une interface d'e-mail web intégrée avec chiffrement E2EE/PGP est fournie à titre de commodité. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Les utilisateurs de GnuPG peuvent obtenir une clé en tapant : `gpg --locate-key utilisateur_exemple@exemple.fr` -- Prise en charge d'une boîte mail temporaire pour les utilisateurs externes. Cette fonction est utile lorsque vous souhaitez envoyer un e-mail chiffré, sans envoyer une copie réelle à votre destinataire. Ces e-mails ont généralement une durée de vie limitée et sont ensuite automatiquement supprimés. Ils n'obligent pas non plus le destinataire à configurer un système de chiffrement comme OpenPGP. -- Disponibilité des services du fournisseur d'e-mail via un [service onion](https://en.wikipedia.org/wiki/.onion). -- Support du [sous-adressage](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Les noms de domaine personnalisés sont importants pour les utilisateurs car ils leur permettent de conserver leur indépendance du service, au cas où celui-ci tournerait mal ou serait racheté par une autre société qui ne donne pas priorité à la vie privée. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Prise en charge d'une boîte mail temporaire pour les utilisateurs externes. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Ces e-mails ont généralement une durée de vie limitée et sont ensuite automatiquement supprimés. Ils n'obligent pas non plus le destinataire à configurer un système de chiffrement comme OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Les noms de domaine personnalisés sont importants pour les utilisateurs car ils leur permettent de conserver leur indépendance du service, au cas où celui-ci tournerait mal ou serait racheté par une autre société qui ne donne pas priorité à la vie privée. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Confidentialité @@ -337,30 +342,30 @@ Nous préférons que nos prestataires recommandés collectent le moins de donné **Minimum pour se qualifier :** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Ne demandez pas de Données à Caractère Personnel (DCP) en plus d'un nom d'utilisateur et d'un mot de passe. -- Politique de confidentialité répondant aux exigences définies par le RGPD. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Dans le meilleur des cas :** -- Accepte des [options de paiement anonymes](advanced/payments.md) ([crypto-monnaie](cryptocurrency.md), argent liquide, cartes cadeaux, etc.) -- Hébergé dans une juridiction disposant de lois strictes en matière de protection de la confidentialité des e-mails. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Sécurité -Les serveurs d'e-mail traitent un grand nombre de données très sensibles. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum pour se qualifier :** -- Protection de l'interface d'e-mail web avec une A2F, tel que TOTP. -- Zero access encryption, which builds on encryption at rest. Le fournisseur ne dispose pas des clés de déchiffrement des données qu'il détient. Cela permet d'éviter qu'un employé malhonnête ne divulgue les données auxquelles il a accès ou qu'un adversaire distant ne divulgue les données qu'il a volées en obtenant un accès non autorisé au serveur. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. Le fournisseur ne dispose pas des clés de déchiffrement des données qu'il détient. Cela permet d'éviter qu'un employé malhonnête ne divulgue les données auxquelles il a accès ou qu'un adversaire distant ne divulgue les données qu'il a volées en obtenant un accès non autorisé au serveur. - Prise en charge de [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - Aucune erreurs ou vulnérabilités TLS lors du profilage par des outils tels que [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), ou [Qualys SSL Labs](https://ssllabs.com/ssltest); cela inclut les erreurs liées aux certificats et les paramètres DH faibles, tels que ceux qui ont conduit à [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Une préférence pour les serveurs (facultatif sur TLSv1.3) pour des suites de chiffrement fortes qui prennent en charge la confidentialité persistante et le chiffrement authentifié. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Une politique valide [MTA-STS](https://tools.ietf.org/html/rfc8461) et [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Des enregistrements [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) valides. - Des enregistrements [SPF](https://fr.wikipedia.org/wiki/Sender_Policy_Framework) et [DKIM](https://fr.wikipedia.org/wiki/DomainKeys_Identified_Mail) valides. -- Disposer d'un enregistrement et d'une politique [DMARC](https://fr.wikipedia.org/wiki/DMARC) appropriés ou utiliser [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) pour l'authentification. Si l'authentification DMARC est utilisée, la politique doit être définie comme suit : `reject` ou `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Si l'authentification DMARC est utilisée, la politique doit être définie comme suit : `reject` ou `quarantine`. - Une préférence pour une suite de serveur TLS 1.2 ou plus récente et un plan pour [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - Une soumission [SMTPS](https://en.wikipedia.org/wiki/SMTPS), en supposant que le SMTP est utilisé. - Des normes de sécurité des sites web telles que : @@ -370,10 +375,10 @@ Les serveurs d'e-mail traitent un grand nombre de données très sensibles. We e **Dans le meilleur des cas :** -- Prise en charge de l'authentification matérielle, à savoir U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - Un [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) en plus de la prise en charge de DANE. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Des audits de sécurité publiés par une société tierce réputée. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Des programmes de primes aux bugs et/ou un processus coordonné de divulgation des vulnérabilités. - Des normes de sécurité des sites web telles que : - [Content Security Policy (CSP)](https://fr.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Les serveurs d'e-mail traitent un grand nombre de données très sensibles. We e ### Confiance -Vous ne confieriez pas vos finances à une personne ayant une fausse identité, alors pourquoi lui confier vos e-mails ? Nous exigeons de nos fournisseurs recommandés qu'ils rendent public leur propriété ou leur direction. Nous aimerions également voir des rapports de transparence fréquents, notamment en ce qui concerne la manière dont les demandes de gouvernement sont traitées. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Nous exigeons de nos fournisseurs recommandés qu'ils rendent public leur propriété ou leur direction. Nous aimerions également voir des rapports de transparence fréquents, notamment en ce qui concerne la manière dont les demandes de gouvernement sont traitées. **Minimum pour se qualifier :** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum pour se qualifier :** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Prétendre à un "chiffrement incassable". Le chiffrement doit être utilisé en supposant qu'il ne soit plus secret dans le futur, lorsque la technologie existera pour le décrypter. -- Garantir la protection de l'anonymat à 100%. Lorsque quelqu'un prétend que quelque chose est à 100%, cela signifie qu'il n'y a aucune certitude d'échec. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Réutiliser des informations personnelles (par exemple comptes d'e-mail, pseudonymes uniques, etc.) auxquelles ils ont eu accès sans logiciel d'anonymat (Tor, VPN, etc.) - - [La capture d'empreinte numérique des navigateurs](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Empreinte numérique des navigateurs](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Dans le meilleur des cas :** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Fonctionnalités supplémentaires -Bien qu'il ne s'agisse pas d'exigences strictes, nous avons pris en compte d'autres facteurs liés à la commodité ou à la confidentialité pour déterminer les fournisseurs à recommander. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/fr/os/android-overview.md b/i18n/fr/os/android-overview.md index cccf6766..0eef4800 100644 --- a/i18n/fr/os/android-overview.md +++ b/i18n/fr/os/android-overview.md @@ -132,7 +132,7 @@ Si vous avez un compte Google, nous vous suggérons de vous inscrire au [Program Le Programme de Protection Avancée offre une surveillance accrue des menaces et permet : -- Une authentification à deux facteurs plus stricte; par exemple, seul [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **doit** être utilisé et toute autre type de double autentification tels que [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) et [OAuth](https://en.wikipedia.org/wiki/OAuth) sont bloqués +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Seul Google et les applications tierces vérifiées peuvent accéder aux données du compte - Une analyse des e-mails entrants sur les comptes Gmail pour détecter les tentatives de [hameçonnage](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - Une [analyse plus stricte de la sécurité du navigateur](https://google.com/chrome/privacy/whitepaper.html#malware) avec Google Chrome @@ -154,7 +154,9 @@ Si vous avez un appareil sous Android 10 minimum qui n'est plus supporté et que Tous les appareils sur lesquels les Google Play Services sont installés génèrent automatiquement un [identifiant publicitaire](https://support.google.com/googleplay/android-developer/answer/6048248) utilisé pour la publicité ciblée. Désactivez cette fonctionnalité pour limiter les données collectées à votre sujet. -Sur les distributions Android avec [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), allez dans :gear: **Paramètres** → **Applications** → **Sandboxed Google Play** → **Paramètres Google** → **Annonces**, et sélectionnez *Supprimer l'ID publicitaire*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Vérifiez: diff --git a/i18n/he/basics/account-creation.md b/i18n/he/basics/account-creation.md index 10a65a49..bcf259e5 100644 --- a/i18n/he/basics/account-creation.md +++ b/i18n/he/basics/account-creation.md @@ -42,7 +42,7 @@ The Privacy Policy is how the service says they will use your data, and it is wo #### כינויי אימייל -אם אינך רוצה לתת את כתובת האימייל האמיתית שלך לשירות, יש לך אפשרות להשתמש בכינוי. תיארנו אותם ביתר פירוט בדף ההמלצות של שירותי האימייל שלנו. בעיקרון, שירותי כינוי מאפשרים לך ליצור כתובות אימייל חדשות המעבירות את כל המיילים לכתובת הראשית שלך. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. ניתן לסנן אותם באופן אוטומטי על סמך הכינוי שאליו הם נשלחים. +אם אינך רוצה לתת את כתובת האימייל האמיתית שלך לשירות, יש לך אפשרות להשתמש בכינוי. We describe them in more detail on our email services recommendation page. בעיקרון, שירותי כינוי מאפשרים לך ליצור כתובות אימייל חדשות המעבירות את כל המיילים לכתובת הראשית שלך. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. ניתן לסנן אותם באופן אוטומטי על סמך הכינוי שאליו הם נשלחים. אם שירות ייפרץ, ייתכן שתתחיל לקבל הודעות דיוג או דואר זבל לכתובת שבה השתמשת כדי להירשם. שימוש בכינויים ייחודיים עבור כל שירות יכול לסייע בזיהוי בדיוק איזה שירות נפרץ. @@ -50,19 +50,19 @@ The Privacy Policy is how the service says they will use your data, and it is wo ### "להתחבר עם..." (OAuth) -OAuth הוא פרוטוקול אימות המאפשר לך להירשם לשירות מבלי לשתף מידע רב עם ספק השירות, אם בכלל, על ידי שימוש בחשבון קיים שיש לך עם שירות אחר במקום זאת. בכל פעם שאתה רואה משהו בסגנון "היכנס עם *שם הספק*" בטופס הרשמה, זה בדרך כלל באמצעות OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. בכל פעם שאתה רואה משהו בסגנון "היכנס עם *שם הספק*" בטופס הרשמה, זה בדרך כלל באמצעות OAuth. כאשר אתה נכנס עם OAuth, הוא יפתח דף התחברות עם הספק שתבחר, והחשבון הקיים והחשבון החדש שלך יחוברו. הסיסמה שלך לא תשותף, אבל בדרך כלל יש מידע בסיסי (תוכל לעיין בה במהלך בקשת ההתחברות). תהליך זה נחוץ בכל פעם שאתה רוצה להיכנס לאותו חשבון. היתרונות העיקריים הם: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **קלות שימוש**: מספר חשבונות מנוהלים על ידי התחברות אחת. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. אבל יש חסרונות: -- **פרטיות**: ספק ה-OAuth שאיתו אתה מתחבר יידע באילו שירותים אתה משתמש. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. ההמלצה שלנו היא להגביל את השימוש ב-OAuth רק למקום שבו אתה זקוק לו, ולהגן תמיד על החשבון הראשי באמצעות [MFA](multi-factor-authentication.md). diff --git a/i18n/he/basics/email-security.md b/i18n/he/basics/email-security.md index f6abb4c2..8b48e2a4 100644 --- a/i18n/he/basics/email-security.md +++ b/i18n/he/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -אימייל הוא צורת תקשורת לא מאובטחת כברירת מחדל. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +אימייל הוא צורת תקשורת לא מאובטחת כברירת מחדל. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. כתוצאה מכך, האימייל משמש בצורה הטובה ביותר לקבלת הודעות אימייל עסקאות (כמו התראות, אימייל אימות, איפוסי סיסמה וכו') מהשירותים שאליהם אתה נרשם באופן מקוון, לא לתקשורת עם אחרים. ## סקירת הצפנת אימייל -הדרך הסטנדרטית להוסיף E2EE למיילים בין ספקי אימייל שונים היא באמצעות OpenPGP. ישנם יישומים שונים של תקן OpenPGP, הנפוצים ביותר הם [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) ו- [OpenPGP.js](https://openpgpjs.org). +הדרך הסטנדרטית להוסיף E2EE למיילים בין ספקי אימייל שונים היא באמצעות OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -גם אם אתה משתמש ב - OpenPGP, הוא אינו תומך בסודיות [קדימה](https://en.wikipedia.org/wiki/Forward_secrecy), כלומר אם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו איתו ייחשפו. זו הסיבה שאנו ממליצים על [מסנג'רים מיידיים](../real-time-communication.md) אשר מיישמים סודיות קדימה על פני דואר אלקטרוני עבור הודעות פנים אל פנים במידת האפשר. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. זו הסיבה שאנו ממליצים על [מסנג'רים מיידיים](../real-time-communication.md) אשר מיישמים סודיות קדימה על פני דואר אלקטרוני עבור הודעות פנים אל פנים במידת האפשר. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### אילו לקוחות אימייל תומכים ב - E2EE? -ספקי אימייל המאפשרים לך להשתמש בפרוטוקולי גישה סטנדרטיים כגון IMAP ו- SMTP יכולים לשמש עם כל אחד מ[קליינטי הדואר האלקטרוני שאנו ממליצים עליהם](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +ספקי אימייל המאפשרים לך להשתמש בפרוטוקולי גישה סטנדרטיים כגון IMAP ו- SMTP יכולים לשמש עם כל אחד מ[קליינטי הדואר האלקטרוני שאנו ממליצים עליהם](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### כיצד אוכל להגן על המפתחות הפרטיים שלי? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## סקירה כללית של מטא נתונים בדוא"ל -מטא נתונים של דואר אלקטרוני מאוחסנים בכותרת [של ההודעה](https://en.wikipedia.org/wiki/Email#Message_header) של הודעת הדואר האלקטרוני וכוללים כמה כותרות גלויות שייתכן שראית כגון: `עד`, `מ`, `Cc`, `תאריך`, `נושא`. יש גם מספר כותרות נסתרות שנכללות על ידי לקוחות דוא"ל וספקים רבים שיכולים לחשוף מידע על החשבון שלך. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. יש גם מספר כותרות נסתרות שנכללות על ידי לקוחות דוא"ל וספקים רבים שיכולים לחשוף מידע על החשבון שלך. תוכנת הלקוח עשויה להשתמש במטא נתונים של דוא"ל כדי להראות מי ההודעה ומאיזו שעה היא התקבלה. השרתים רשאים להשתמש בו כדי לקבוע לאן תישלח הודעת דוא"ל, בין [מטרות אחרות](https://en.wikipedia.org/wiki/Email#Message_header) שאינן תמיד שקופות. ### מי יכול לצפות במטא נתונים של דוא"ל? -מטא נתונים של דוא"ל מוגנים מפני משקיפים חיצוניים עם [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) אופורטוניסטיים המגנים עליהם מפני משקיפים חיצוניים, אך הם עדיין ניתנים לצפייה על ידי תוכנת לקוח הדוא"ל שלך (או דואר האינטרנט) וכל שרת שמעביר את ההודעה ממך לנמענים כלשהם, כולל ספק הדוא"ל שלך. לפעמים שרתי דוא"ל ישתמשו גם בשירותי צד שלישי כדי להגן מפני תגובות זבל, שבדרך כלל יש להם גם גישה להודעות שלך. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. לפעמים שרתי דוא"ל ישתמשו גם בשירותי צד שלישי כדי להגן מפני תגובות זבל, שבדרך כלל יש להם גם גישה להודעות שלך. ### למה מטא נתונים לא יכולים להיות E2EE? -מטא נתונים של דואר אלקטרוני חיוניים לפונקציונליות הבסיסית ביותר של דואר אלקטרוני (מהיכן הוא הגיע ולאן הוא צריך ללכת). E2EE לא היה מובנה בפרוטוקולי הדואר האלקטרוני במקור, ובמקום זאת נדרש לתוכנת הרחבה כמו OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +מטא נתונים של דואר אלקטרוני חיוניים לפונקציונליות הבסיסית ביותר של דואר אלקטרוני (מהיכן הוא הגיע ולאן הוא צריך ללכת). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/he/email-aliasing.md b/i18n/he/email-aliasing.md index 4c067382..258fb2e5 100644 --- a/i18n/he/email-aliasing.md +++ b/i18n/he/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## ספקים מומלצים
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## קריטריונים -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/he/email-clients.md b/i18n/he/email-clients.md index 4ef19f2f..7ab82a53 100644 --- a/i18n/he/email-clients.md +++ b/i18n/he/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: ספקי שירות](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: התקפות ממוקדות](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/he/email.md b/i18n/he/email.md index 79d81c54..0807151c 100644 --- a/i18n/he/email.md +++ b/i18n/he/email.md @@ -22,19 +22,19 @@ global: לכל השאר, אנו ממליצים על מגוון ספק אימייל המבוססים על מודלים עסקיים ברי קיימא ותכונות אבטחה ופרטיות מובנות. קרא את \[רשימת הקריטריונים המלאה\](#_20) שלנו למידע נוסף. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | מזומן | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | מזומן | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | מזומן | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | מזומן | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## ספקי אימייל מומלצים -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. לדוגמה, משתמש Proton Mail יכול לשלוח הודעת E2EE למשתמש Mailbox.org, או שאתה יכול לקבל התראות מוצפנות OpenPGP משירותי אינטרנט התומכים בכך. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. לדוגמה, משתמש Proton Mail יכול לשלוח הודעת E2EE למשתמש Mailbox.org, או שאתה יכול לקבל התראות מוצפנות OpenPGP משירותי אינטרנט התומכים בכך.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail לוגו](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** הוא שירות דואר אלקטרוני עם התמקדות בפרטיות, הצפנה, אבטחה וקלות שימוש. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** הוא שירות דואר אלקטרוני עם התמקדות בפרטיות, הצפנה, אבטחה וקלות שימוש. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -לחשבונות חינמיים יש מגבלות מסוימות, כגון חוסר היכולת לחפש גוף טקסט ואי גישה ל[Proton Mail Bridge](https://proton.me/mail/bridge), אשר נדרש כדי השתמש ב[לקוח אימייל שולחן העבודה המומלץ](email-clients.md) (למשל Thunderbird). חשבונות בתשלום כוללים תכונות כגון Proton Mail Bridge, אחסון נוסף ותמיכה בתחומים מותאמים אישית. [מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton Mail ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). חשבונות בתשלום כוללים תכונות כגון Proton Mail Bridge, אחסון נוסף ותמיכה בתחומים מותאמים אישית. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +[מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton Mail ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green } שיטות תשלום פרטיות -Proton Mail [מקבל](https://proton.me/support/payment-options) מזומן בדואר בנוסף לתשלומי אשראי/חיוב רגילים, [ביטקוין](advanced/payments.md#other-coins-bitcoin-ethereum-etc) ופייפאל. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } אבטחת חשבון @@ -109,7 +113,7 @@ Proton Mail supports TOTP [two-factor authentication](https://proton.me/support/ Proton Mail [שילבה הצפנת OpenPGP](https://proton.me/support/how-to-use-pgp) בדואר האינטרנט שלהם. אימיילים לחשבונות Proton Mail אחרים מוצפנים באופן אוטומטי, וניתן להפעיל הצפנה לכתובות שאינן פרוטון מייל עם מפתח OpenPGP בקלות בהגדרות החשבון שלך. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. זה מאפשר לאנשים שאינם משתמשים ב-Proton Mail למצוא בקלות את מפתחות OpenPGP של חשבונות Proton Mail, עבור E2EE חוצה ספקים. זה חל רק על כתובות אימיילים המסתיימות באחד מהדומיינים של פרוטון עצמו, כמו proton.me@. אם אתה משתמש בדומיין מותאם אישית, עליך [להגדיר את WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) בנפרד. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } סגירת חשבון @@ -117,17 +121,17 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } פונקציונליות נוספת -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail אינו מציע תכונה מורשת דיגיטלית. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** הוא שירות דוא"ל עם התמקדות בלהיות מאובטח, ללא פרסומות ומופעל באופן פרטי על ידי 100% אנרגיה ידידותית לסביבה. הם פועלים מאז 2014. Mailbox.org ממוקם בברלין, גרמניה. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. הם פועלים מאז 2014. Mailbox.org ממוקם בברלין, גרמניה. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } שיטות תשלום פרטיות -Mailbox.org אינו מקבל מטבעות קריפטוגרפיים כלשהם כתוצאה מכך שמעבד התשלומים BitPay השהה את הפעולות בגרמניה. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org אינו מקבל מטבעות קריפטוגרפיים כלשהם כתוצאה מכך שמעבד התשלומים BitPay השהה את הפעולות בגרמניה. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } אבטחת חשבון -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). תקני אינטרנט כגון [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) אינם נתמכים עדיין. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } אבטחת מידע Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). הודעות חדשות שתקבל יוצפנו באופן מיידי באמצעות המפתח הציבורי שלך. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. [אפשרות עצמאית](calendar.md) עשויה להתאים יותר למידע זה. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } הצפנת אימייל Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. תכונה זו שימושית כאשר לנמען המרוחק אין OpenPGP ואין באפשרותו לפענח עותק של הדואר האלקטרוני בתיבת הדואר שלו. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. זה מאפשר לאנשים מחוץ Mailbox.org למצוא את מפתחות OpenPGP של חשבונות Mailbox.org בקלות, עבור E2EE חוצה ספקים. זה חל רק על כתובות אימיילים המסתיימות באחד מהדומיינים של Mailbox.org עצמו, כמו mailbox.org@. אם אתה משתמש בדומיין מותאם אישית, עליך [להגדיר את WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) בנפרד. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } סגירת חשבון @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org תומך גם ב-[Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) בנוסף לפרוטוקולי גישה סטנדרטיים כמו IMAP ו-POP3. -Mailbox.org כולל תכונת מורשת דיגיטלית לכל התוכניות. אתה יכול לבחור אם אתה רוצה שכל הנתונים שלך יועברו ליורשים בתנאי שהם חלים ומספקים את הצוואה שלך. לחלופין, ניתן למנות אדם לפי שם וכתובת. +Mailbox.org כולל תכונת מורשת דיגיטלית לכל התוכניות. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. לחלופין, ניתן למנות אדם לפי שם וכתובת. ## עוד ספקים @@ -195,7 +199,9 @@ Mailbox.org כולל תכונת מורשת דיגיטלית לכל התוכני ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } שיטות תשלום פרטיות -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } אבטחת חשבון @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } אבטחת מידע -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). משמעות הדבר היא שההודעות ונתונים אחרים המאוחסנים בחשבונך ניתנים לקריאה רק על ידך. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). משמעות הדבר היא שההודעות ונתונים אחרים המאוחסנים בחשבונך ניתנים לקריאה רק על ידך. #### :material-information-outline:{ .pg-blue } הצפנת אימייל @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta אינו מציע תכונה מורשת דיגיטלית. - ## אימייל לאירוח עצמי מנהלי מערכת מתקדמים עשויים לשקול הגדרת שרת דואר אלקטרוני משלהם. שרתי דואר דורשים תשומת לב ותחזוקה שוטפת על מנת לשמור על דברים מאובטחים ועל משלוח דואר אמין. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **מינימום כדי לעמוד בדרישות:** -- מצפין נתוני חשבון אימייל במצב מנוחה עם הצפנה ללא גישה. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- פועל על תשתית בבעלות, כלומר לא בנוי על ספקי שירותי דואר אלקטרוני של צד שלישי. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). שמות דומיין מותאמים אישית חשובים למשתמשים מכיוון שהם מאפשרים להם לתחזק את הסוכנות שלהם מהשירות, אם היא תהפוך לגרועה או תירכש על ידי חברה אחרת שאינה מתעדפת פרטיות. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **המקרה הטוב ביותר:** -- מצפין את כל נתוני החשבון (אנשי קשר, יומנים וכו') במצב מנוחה עם הצפנה ללא גישה. -- הצפנת דואר אינטרנט משולבת E2EE/PGP מסופקת לנוחיותך. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. משתמשי GnuPG יכולים לקבל מפתח על ידי הקלדה `gpg --locate-key example_user@example.com` -- תמיכה בתיבת דואר זמנית למשתמשים חיצוניים. פעולה זו שימושית כאשר ברצונך לשלוח דוא"ל מוצפן, מבלי לשלוח עותק בפועל לנמען שלך. למיילים אלה יש בדרך כלל תוחלת חיים מוגבלת ולאחר מכן נמחקות אוטומטית. הם גם לא דורשים מהנמען להגדיר שום קריפטוגרפיה כמו OpenPGP. -- זמינות שירותי ספק הדואר האלקטרוני באמצעות [שירות onion](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). שמות דומיין מותאמים אישית חשובים למשתמשים מכיוון שהם מאפשרים להם לתחזק את הסוכנות שלהם מהשירות, אם היא תהפוך לגרועה או תירכש על ידי חברה אחרת שאינה מתעדפת פרטיות. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- תמיכה בתיבת דואר זמנית למשתמשים חיצוניים. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. למיילים אלה יש בדרך כלל תוחלת חיים מוגבלת ולאחר מכן נמחקות אוטומטית. הם גם לא דורשים מהנמען להגדיר שום קריפטוגרפיה כמו OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). שמות דומיין מותאמים אישית חשובים למשתמשים מכיוון שהם מאפשרים להם לתחזק את הסוכנות שלהם מהשירות, אם היא תהפוך לגרועה או תירכש על ידי חברה אחרת שאינה מתעדפת פרטיות. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### פרטיות @@ -337,30 +342,30 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **מינימום כדי לעמוד בדרישות:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- אין צורך במידע המאפשר זיהוי אישי (PII) מלבד שם משתמש וסיסמה. -- מדיניות פרטיות העומדת בדרישות שהוגדרו ב-GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **המקרה הטוב ביותר:** -- מקבל [אפשרויות תשלום אנונימיות](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), מזומן, כרטיסי מתנה וכו') -- מתארח באזור שיפוט עם חוקים חזקים להגנה על פרטיות האימייל. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### אבטחה -שרתי דואר אלקטרוני עוסקים בהרבה מאוד נתונים רגישים. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **מינימום כדי לעמוד בדרישות:** -- הגנה על דואר אינטרנט עם 2FA, כגון TOTP. -- Zero access encryption, which builds on encryption at rest. לספק אין את מפתחות הפענוח של הנתונים שברשותו. פעולה זו מונעת מעובד שסרח להדליף נתונים שיש לו גישה אליהם או מיריב מרחוק לשחרר נתונים שגנב על ידי השגת גישה בלתי מורשית לשרת. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. לספק אין את מפתחות הפענוח של הנתונים שברשותו. פעולה זו מונעת מעובד שסרח להדליף נתונים שיש לו גישה אליהם או מיריב מרחוק לשחרר נתונים שגנב על ידי השגת גישה בלתי מורשית לשרת. - תמיכה ב [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- העדפת חבילת שרתים (אופציונלית ב-TLSv1.3) עבור חבילות צופן חזקות התומכות בסודיות קדימה ובהצפנה מאומתת. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - [MTA-STS](https://tools.ietf.org/html/rfc8461) בתוקף וגם מדיניות [TLS-RPT](https://tools.ietf.org/html/rfc8460). - בתוקף [רשומות DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). - בתוקף [רשומות SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) ו - [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). -- שיהיה לך מתאים [DMARC](https://en.wikipedia.org/wiki/DMARC) עבר ומדיניות או שימוש ב [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) לאימות. אם נעשה שימוש באימות DMARC, יש להגדיר את המדיניות ל- `דוחה` או `הסגר`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. אם נעשה שימוש באימות DMARC, יש להגדיר את המדיניות ל- `דוחה` או `הסגר`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [שליחת SMTPS](https://en.wikipedia.org/wiki/SMTPS), בהנחה שנעשה שימוש ב - SMTP. - תקני אבטחת אתר אינטרנט כגון: @@ -370,10 +375,10 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **המקרה הטוב ביותר:** -- תמיכה באימות חומרה, כלומר. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [אישור רשות ההסמכה של DNS (CAA) רשומת משאבים](https://tools.ietf.org/html/rfc6844) בנוסף לתמיכת DANE. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- פירסם ביקורות אבטחה מחברת צד שלישי מכובדת. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - תוכניות לחיפוש באגים ו/או תהליך גילוי - פגיעות מתואם. - תקני אבטחת אתר אינטרנט כגון: - [מדיניות אבטחת תוכן (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit ### אמון -לא הייתם סומכים על הכספים שלכם למישהו שיש זהות מזויפת, אז למה לסמוך עליו עם הדוא"ל שלכם? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. **מינימום כדי לעמוד בדרישות:** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **מינימום כדי לעמוד בדרישות:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- טענות של "הצפנה בלתי שבירה " יש להשתמש בהצפנה מתוך כוונה שהיא לא תהיה סודית בעתיד כאשר הטכנולוגיה קיימת כדי לפצח אותה. -- ביצוע ערבויות של הגנה על 100% אנונימיות. כשמישהו טוען שמשהו הוא 100% זה אומר שאין ודאות לכישלון. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - שימוש חוזר במידע אישי, למשל. (חשבונות אימיילים, שמות בדויים ייחודיים וכו') שאליהם הם ניגשו ללא תוכנת אנונימיות (Tor, VPN וכו') - - [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **המקרה הטוב ביותר:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### פונקציונליות נוספת -אמנם לא דרישות קפדניות, יש כמה גורמי נוחות או פרטיות אחרים שבדקנו בעת קביעת אילו ספקים להמליץ. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/he/os/android-overview.md b/i18n/he/os/android-overview.md index c1e22b85..bb74747f 100644 --- a/i18n/he/os/android-overview.md +++ b/i18n/he/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr תוכנית ההגנה המתקדמת מספקת ניטור איומים משופר ומאפשרת: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - רק גוגל ואפליקציות צד שלישי מאומתות יכולות לגשת לנתוני החשבון - סריקה של הודעות אימייל נכנסות בחשבונות Gmail עבור ניסיונות [דיוג](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. השבת תכונה זו כדי להגביל את הנתונים שנאספו עליך. -בהפצות אנדרואיד עם [Google Play בארגז חול](https://grapheneos.org/usage#sandboxed-google-play), עבור אל :gear: **הגדרות** ← **אפליקציות** ← **Google Play בארגז חול** ← **הגדרות גוגל** ← **מודעות**, ותבחר *מחק מזהה פרסום*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. בדיקה diff --git a/i18n/hi/basics/account-creation.md b/i18n/hi/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/hi/basics/account-creation.md +++ b/i18n/hi/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/hi/basics/email-security.md b/i18n/hi/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/hi/basics/email-security.md +++ b/i18n/hi/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/hi/email-aliasing.md b/i18n/hi/email-aliasing.md index bc73aeb2..87d0fd0e 100644 --- a/i18n/hi/email-aliasing.md +++ b/i18n/hi/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/hi/email-clients.md b/i18n/hi/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/hi/email-clients.md +++ b/i18n/hi/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/hi/email.md b/i18n/hi/email.md index e2054402..ae8b4023 100644 --- a/i18n/hi/email.md +++ b/i18n/hi/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/hi/os/android-overview.md b/i18n/hi/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/hi/os/android-overview.md +++ b/i18n/hi/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/hu/basics/account-creation.md b/i18n/hu/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/hu/basics/account-creation.md +++ b/i18n/hu/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/hu/basics/email-security.md b/i18n/hu/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/hu/basics/email-security.md +++ b/i18n/hu/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/hu/email-aliasing.md b/i18n/hu/email-aliasing.md index d0f1a1df..51edc2f7 100644 --- a/i18n/hu/email-aliasing.md +++ b/i18n/hu/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Ajánlott Szolgáltatók
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Követelmények -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/hu/email-clients.md b/i18n/hu/email-clients.md index f3c1f1c8..44df6c2c 100644 --- a/i18n/hu/email-clients.md +++ b/i18n/hu/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/hu/email.md b/i18n/hu/email.md index 77b09c52..f0049ca2 100644 --- a/i18n/hu/email.md +++ b/i18n/hu/email.md @@ -22,19 +22,19 @@ Az email gyakorlatilag elengedhetetlen bármilyen online szolgáltatás használ Minden más esetre olyan emailszolgáltatókat ajánlunk, amelyek fenntartható üzleti modelleken és beépített biztonsági, adat- és magánéletvédelmi funkciókon alapulnak. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -Az itt ajánlott email szolgáltatók mellett (vagy helyett) érdemes megfontolni egy dedikált [e-mail alias szolgáltatást](email-aliasing.md) is a magánélet védelme érdekében. Ezek a szolgáltatások többek között segíthetnek megvédeni a valódi potaládádat a spamektől, megakadályozhatják, hogy a marketingesek összekapcsolják a fiókjaidat, és PGP-vel titkosíthatják az összes bejövő üzenetedet. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Ezek a szolgáltatások többek között segíthetnek megvédeni a valódi potaládádat a spamektől, megakadályozhatják, hogy a marketingesek összekapcsolják a fiókjaidat, és PGP-vel titkosíthatják az összes bejövő üzenetedet. - [További információ :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP-kompatibilis szolgáltatások -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Például egy Proton Mail felhasználó küldhet végponttól-végpontig titkosított üzenetet egy Mailbox.org felhasználónak, de fogadhatsz OpenPGP-titkosított értesítéseket olyan internetes szolgáltatásoktól is, amelyek támogatják azt. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Például egy Proton Mail felhasználó küldhet végponttól-végpontig titkosított üzenetet egy Mailbox.org felhasználónak, de fogadhatsz OpenPGP-titkosított értesítéseket olyan internetes szolgáltatásoktól is, amelyek támogatják azt.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Az OpenPGP-hez hasonló végponttól-végpontig titkosító technológiák használata esetén az e-mail fejlécében továbbra is maradnak olyan metaadatok, amik nincsenek titkosítva, általában beleértve az üzenet tágyát is! Tudj meg többet az [e-mail metaadatokról](basics/email-security.md#email-metadata-overview). -Az OpenPGP nem támogatja a Forward secrecy-t sem, ami azt jelenti, hogy ha a tőled vagy a címzettől ellopják a privát kulcsot, azzal az összes korábbi, ezzel titkosított üzenet is nyilvánosságra kerül. [Hogyan védhetem a privát kulcsaimat?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ Az OpenPGP nem támogatja a Forward secrecy-t sem, ami azt jelenti, hogy ha a t ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -A **Proton Mail** egy olyan e-mail szolgáltatás, amely a magánéletre, a titkosításra, a biztonságra és az egyszerű használatra helyezi a hangsúlyt. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +A **Proton Mail** egy olyan e-mail szolgáltatás, amely a magánéletre, a titkosításra, a biztonságra és az egyszerű használatra helyezi a hangsúlyt. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ A **Proton Mail** egy olyan e-mail szolgáltatás, amely a magánéletre, a titk -Az ingyenes fiókoknak vannak bizonyos korlátai, például nem tudnak keresni a szövegben, és nem férnek hozzá a [Proton Mail Bridge-hez](https://proton.me/mail/bridge), ami egy [ajánlott asztali e-mail kliens](email-clients.md) (pl. Thunderbird) használatához szükséges átjáró. A fizetős fiókok olyan funkciókat is tartalmaznak, mint a Proton Mail Bridge, további tárhely és egyéni domainek támogatása. A Proton Mail alkalmazást 2021. november 9-én a [Securitum](https://research.securitum.com) [tanúsította](https://proton.me/blog/security-audit-all-proton-apps). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). A fizetős fiókok olyan funkciókat is tartalmaznak, mint a Proton Mail Bridge, további tárhely és egyéni domainek támogatása. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A Proton Mail alkalmazást 2021. november 9-én a [Securitum](https://research.securitum.com) [tanúsította](https://proton.me/blog/security-audit-all-proton-apps). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ A fizetős Proton Mail előfizetők saját domain címmel is használhatják a s #### :material-check:{ .pg-green } Privát fizetési módok -A Proton Mail készpénzt is [elfogad](https://proton.me/support/payment-options) postai úton a szokásos hitelkártyás, [Bitcoin-](advanced/payments.md#other-coins-bitcoin-ethereum-etc) és PayPal-fizetési módok mellett. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Fiók biztonsága @@ -109,7 +113,7 @@ A [Proton Contactsban](https://proton.me/support/proton-contacts) tárolt bizony A Proton Mail [integrálta az OpenPGP titkosítást](https://proton.me/support/how-to-use-pgp) a webmailjébe. A más Proton Mail-fiókokba küldött e-mailek automatikusan titkosítva vannak, és a nem Proton Mail-címekre küldött, OpenPGP-kulccsal rendelkező e-mailek titkosítása egyszerűen engedélyezhető a fiók beállításaiban. Proton also supports automatic external key discovery with WKD. Ez azt jelenti, hogy a WKD-t használó más szolgáltatóknak küldött e-maileket automatikusan az OpenPGP-vel is titkosítja, anélkül, hogy manuálisan kellene nyilvános PGP-kulcsokat cserélnie a kapcsolattartóival. Az [OpenPGP nélkül, nem Proton Mail címekre küldött üzeneteket titkosíthatod](https://proton.me/support/password-protected-emails), anélkül, hogy a címzetteknek Proton Mail fiókot kellene regisztrálniuk. -A Proton Mail a Proton-fiókok nyilvános kulcsait is közzéteszi HTTP-n keresztül a WKD-ből. Ez lehetővé teszi, hogy a Proton Mailt nem használók is könnyen megtalálják a Proton Mail fiókok OpenPGP-kulcsait a szolgáltatóközi E2EE-hez. Ez csak a Proton saját domainjeire végződő e-mail címekre vonatkozik, mint például a @proton.me. Ha egyéni tartományt használsz, kézzel kell [konfigurálni a WKD-t](./basics/email-security.md#what-is-the-web-key-directory-standard). +A Proton Mail a Proton-fiókok nyilvános kulcsait is közzéteszi HTTP-n keresztül a WKD-ből. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Fiók megszüntetése @@ -117,9 +121,7 @@ Ha előfizetéssel rendelkezel, de 14 napon túli [fizetetlen számlád](https:/ #### :material-information-outline:{ .pg-blue } További funkciók -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -A Proton Mail nem kínál digitális örökség funkciót. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ A Proton Mail nem kínál digitális örökség funkciót. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**A **Mailbox.org** egy olyan e-mail szolgáltatás, amelynek középpontjában a biztonság, a reklámmentesség és a 100%-ban környezetbarát energiával működő, magánhálózatról biztosított energia áll. 2014 óta működnek. A Mailbox.org székhelye Berlinben, Németországban található. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. 2014 óta működnek. A Mailbox.org székhelye Berlinben, Németországban található. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ A Mailbox.org lehetővé teszi a saját domain használatáz, és támogatja a [ #### :material-check:{ .pg-green } Privát fizetési módok -A Mailbox.org nem fogad el semmilyen kriptovalutát, mivel a fizetési szolgáltatójuk, a BitPay felfüggesztette működését Németországban. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +A Mailbox.org nem fogad el semmilyen kriptovalutát, mivel a fizetési szolgáltatójuk, a BitPay felfüggesztette működését Németországban. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Fiók biztonsága -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. A TOTP vagy a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) a [YubiCloudon](https://yubico.com/products/services-software/yubicloud) keresztül használható. Az olyan webes szabványok, mint a [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), még nem támogatottak. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. A TOTP vagy a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) a [YubiCloudon](https://yubico.com/products/services-software/yubicloud) keresztül használható. Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Adatbiztonság A Mailbox.org lehetővé teszi a bejövő levelek titkosítását a [titkosított postafiók](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox) segítségével. A kapott új üzeneteket ezután azonnal titkosítja a nyilvános kulcsával. -A Mailbox.org által használt szoftverplatform, az [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange) azonban [nem támogatja](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) a címjegyzék és a naptár titkosítását. Az ilyen információk tárolásához megfelelőbb lehet egy [önálló alternatíva](calendar.md). +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } E-mail titkosítás A Mailbox.org webmailbe [beépített titkosítást](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) alkalmaz, ami leegyszerűsíti az üzenetek küldését nyilvános OpenPGP-kulcsokkal rendelkező személyeknek. Lehetővé teszik továbbá, hogy a [távoli címzettek visszafejtsenek egy e-mailt](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) a Mailbox.org szerverein. Ez a funkció akkor hasznos, ha a távoli címzett nem rendelkezik OpenPGP-vel, és nem tudja visszafejteni az e-mail másolatát a saját postafiókjában. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Ez lehetővé teszi, hogy a Mailbox.org-ot nem használók is könnyen megtalálják a Mailbox.org fiókok OpenPGP-kulcsait a szolgáltatóközi végponttól-végpontig terjedő titkosításhoz. Ez csak a Mailbox.org saját domainjeire végződő e-mail címekre vonatkozik, mint például a @mailbox.org. Ha egyéni tartományt használsz, kézzel kell [konfigurálni a WKD-t](./basics/email-security.md#what-is-the-web-key-directory-standard). +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Fiók megszüntetése @@ -176,7 +180,7 @@ A Mailbox.org fiók a [.onion szolgáltatásuk](https://kb.mailbox.org/en/privat Minden fiókhoz korlátozott felhőalapú tárhely tartozik, amely [titkosítható](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). A mailbox.org kínálja a [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely) aliast is, amely érvényesíti a TLS titkosítást a levelezőszerverek közötti kapcsolaton, ennek hiányában az üzenet egyáltalán nem lesz elküldve. A Mailbox.org támogatja az [Exchange ActiveSync-et](https://en.wikipedia.org/wiki/Exchange_ActiveSync) is a szabványos hozzáférési protokollok, például az IMAP és a POP3 mellett. -A Mailbox.org minden előfizetési csomagban rendelkezik digitális örökség funkcióval. Elnöntheted, hogy szeretnéd-e, hogy adataid bármelyik örökösre szálljanak, feltéve, hogy ezt kérelmezed és végrendelkezésben rögzíted. Alternatívaként nevet és címet is megadhatsz egy személynek. +A Mailbox.org minden előfizetési csomagban rendelkezik digitális örökség funkcióval. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatívaként nevet és címet is megadhatsz egy személynek. ## További szolgáltatók @@ -195,7 +199,9 @@ Ezek a szolgáltatók zéró hozzáférésű titkosítással tárolják az e-mai ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Privát fizetési módok -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Fiók biztonsága @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Adatbiztonság -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Ez azt jelenti, hogy a fiókodban tárolt üzeneteket és egyéb adatokhoz kizárólag te férhetsz hozzá. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Ez azt jelenti, hogy a fiókodban tárolt üzeneteket és egyéb adatokhoz kizárólag te férhetsz hozzá. #### :material-information-outline:{ .pg-blue } E-mail titkosítás @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -A Tuta nem kínál digitális örökség funkciót. - ## Saját üzemeltetésű email A haladó rendszergazdák fontolóra vehetik saját e-mail szerver felállítását. A levelezőszerverek figyelmet és folyamatos karbantartást igényelnek a biztonság és a megbízható levélkézbesítés fenntartása érdekében. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Ezeket a funkciókat fontosnak tartjuk a biztonságos és optimális szolgáltat **Alap Elvárások Minősítéshez:** -- Az email fiókok adatai alapértelmezetten zéró hozzáféréssel legyenek titkosítva. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Saját infrastruktúrán működik, azaz nem harmadik féltől származó e-mail szolgáltatóra épül. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Az egyéni domain nevek azért fontosak a felhasználók számára, mert lehetővé teszik számukra, hogy megőrizzék a függetlenedési képességüket a szolgáltatástól, ha az rosszra fordulna, vagy ha egy másik vállalat felvásárolná, amely nem helyezi előtérbe az adatvédelmet. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Legjobb esetben:** -- Zéró hozzáférésű titkosítással titkosítja az összes fiókadatot (névjegyek, naptárak stb.). -- Integrált webmail E2EE/PGP titkosítás, amely kényelmi funkciót biztosít. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. A GnuPG felhasználók kulcsot szerezhetnek a következő paranccsal: `gpg --locate-key example_user@example.com` -- Ideiglenes postafiók támogatása külső felhasználók számára. Ez akkor hasznos, ha titkosított e-mailt szeretne küldeni anélkül, hogy a címzettnek tényleges másolatot küldene. Ezek az e-mailek általában korlátozott élettartamúak, majd automatikusan törlődnek. A címzettnek nem kell semmilyen titkosítást konfigurálnia, mint az OpenPGP esetében. -- Az emailszolgáltató weboldalának elérhetősége egy [.onion szolgáltatáson](https://en.wikipedia.org/wiki/.onion) keresztül. -- Az [alcímzés](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) támogatása. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Az egyéni domain nevek azért fontosak a felhasználók számára, mert lehetővé teszik számukra, hogy megőrizzék a függetlenedési képességüket a szolgáltatástól, ha az rosszra fordulna, vagy ha egy másik vállalat felvásárolná, amely nem helyezi előtérbe az adatvédelmet. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Ideiglenes postafiók támogatása külső felhasználók számára. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Ezek az e-mailek általában korlátozott élettartamúak, majd automatikusan törlődnek. A címzettnek nem kell semmilyen titkosítást konfigurálnia, mint az OpenPGP esetében. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Az egyéni domain nevek azért fontosak a felhasználók számára, mert lehetővé teszik számukra, hogy megőrizzék a függetlenedési képességüket a szolgáltatástól, ha az rosszra fordulna, vagy ha egy másik vállalat felvásárolná, amely nem helyezi előtérbe az adatvédelmet. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Adatvédelem @@ -337,30 +342,30 @@ Jobban szeretjük, ha az általunk ajánlott szolgáltatók a lehető legkeveseb **Alap elvárások minősítéshez:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- A felhasználónevet és jelszót leszámítva ne kérjen személyazonosításra alkalmas adatokat (PII). -- A GDPR által meghatározott követelményeknek megfelelő adatvédelmi politika. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Legjobb esetben:** -- Elfogadja az [anonim fizetési lehetőségeket](advanced/payments.md)[(kriptopénz](cryptocurrency.md), készpénz, ajándékkártyák stb.) -- Olyan joghatóságban van elhelyezve, ahol erős e-mail adatvédelmi törvények vannak érvényben. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Adatbiztonság -Az e-mail szerverek sok nagyon érzékeny adatot kezelnek. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Alap elvárások minősítéshez:** -- A webmail védelme 2FA-val, például TOTP-vel. -- Zero access encryption, which builds on encryption at rest. A szolgáltató nem rendelkezik a birtokában lévő adatok visszafejtési kulcsaival. Ez megakadályozza, hogy egy rosszhiszemű alkalmazott kiszivárogtassa az adatokat, amelyekhez hozzáfér, vagy egy távoli ellenfél a szerverhez való jogosulatlan hozzáféréssel kiadja az ellopott adatokat. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. A szolgáltató nem rendelkezik a birtokában lévő adatok visszafejtési kulcsaival. Ez megakadályozza, hogy egy rosszhiszemű alkalmazott kiszivárogtassa az adatokat, amelyekhez hozzáfér, vagy egy távoli ellenfél a szerverhez való jogosulatlan hozzáféréssel kiadja az ellopott adatokat. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) támogatás. - Nincsenek TLS-hibák vagy sebezhetőségek, amikor olyan eszközökkel profilozzák, mint a [Hardenize](https://hardenize.com), a [testssl.sh](https://testssl.sh) vagy a [Qualys SSL Labs](https://ssllabs.com/ssltest); ez magában foglalja a tanúsítványokkal kapcsolatos hibákat és a gyenge DH-paramétereket, például azokat, amelyek a [Logjamhoz](https://en.wikipedia.org/wiki/Logjam_(computer_security)) vezettek. -- Kiszolgálói csomag preferencia (a TLSv1.3 esetében opcionális) az erős titkosítási csomagok számára, amelyek támogatják a továbbított titkosítást és a hitelesített titkosítást. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Érvényes [MTA-STS](https://tools.ietf.org/html/rfc8461) és [TLS-RPT](https://tools.ietf.org/html/rfc8460) házirend. - Érvényes [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) rekordok. - Érvényes [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) és [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) rekordok. -- Rendelkezzen megfelelő [DMARC](https://en.wikipedia.org/wiki/DMARC) rekorddal és házirenddel, vagy használjon [ARC-t](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) a hitelesítéshez. Ha DMARC-hitelesítést használ, a házirendet `elutasításra` vagy `karanténba` kell állítani. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Ha DMARC-hitelesítést használ, a házirendet `elutasításra` vagy `karanténba` kell állítani. - A TLS 1.2 vagy újabb szervercsomag előnyben részesítése és az [RFC8996](https://datatracker.ietf.org/doc/rfc8996) tervezése. - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) beküldés, feltéve, hogy SMTP-t használnak. - Weboldal biztonsági szabványok, mint például: @@ -370,10 +375,10 @@ Az e-mail szerverek sok nagyon érzékeny adatot kezelnek. We expect that provid **Legjobb esetben:** -- A hardveres hitelesítés támogatása, pl. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS-hitelesítésszolgáltatói engedélyezési (CAA) erőforrásrekord](https://tools.ietf.org/html/rfc6844) a DANE-támogatás mellett. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Közzétett biztonsági felülvizsgálatok egy megbízható harmadik feles cégtől. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programok és/vagy összehangolt sebezhetőség-közzétételi folyamat. - Weboldal biztonsági szabványok, mint például: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Az e-mail szerverek sok nagyon érzékeny adatot kezelnek. We expect that provid ### Megbízhatóság -A pénzügyeidet sem bíznád egy hamis személyazonosságú emberre, akkor miért bíznád rájuk az e-mailjeidet? Az általunk ajánlott szolgáltatóktól megköveteljük, hogy nyilvánosan nyilatkozzanak a tulajdonlásukról vagy vezetésükről. Szeretnénk továbbá gyakori átláthatósági jelentéseket látni, különösen a kormányzati kérelmek kezelésének módját illetően. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Az általunk ajánlott szolgáltatóktól elvárjuk, hogy nyilvánosak legyenek a tulajdonlásukról vagy vezetésükről. Szeretnénk továbbá gyakori átláthatósági jelentéseket látni, különösen a kormányzati kérelmek kezelésének módját illetően. **Alap elvárások minősítéshez:** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Alap elvárások minősítéshez:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- A "feltörhetetlen titkosítás" állítása. A titkosítást úgy kell használni, hogy annak nem titkos jellege is figyelembe legyen véve a jövőben, amikor már rendelkezésre áll a feltörésére alkalmas technológia. -- Az anonimitás 100%-os védelmének garantálása. Ha valaki azt állítja, hogy valami 100%-os, az azt jelenti, hogy nem merülhet fel meghibásodás. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Olyan személyes adatok újrafelhasználása (pl. e-mail fiókok, egyedi álnevek stb.), amelyekhez anonimitási szoftverek (Tor, VPN stb.) nélkül jutottak hozzá. - - [Böngésző ujjlenyomatolás](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Böngésző fingerprintelés](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Legjobb esetben:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### További funkciók -Bár ezek nem szigorú követelmények, más kényelmi vagy adatvédelmi tényezőket is figyelembe vettünk, amikor eldöntöttük, mely szolgáltatókat ajánljuk. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/hu/os/android-overview.md b/i18n/hu/os/android-overview.md index 101c395e..58ecb1e2 100644 --- a/i18n/hu/os/android-overview.md +++ b/i18n/hu/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/id/basics/account-creation.md b/i18n/id/basics/account-creation.md index 52cc0357..e8bc8539 100644 --- a/i18n/id/basics/account-creation.md +++ b/i18n/id/basics/account-creation.md @@ -42,7 +42,7 @@ Anda akan bertanggung jawab untuk mengelola kredensial login Anda. Untuk keamana #### Alias surel -Jika Anda tidak ingin memberikan alamat surel asli Anda ke layanan, Anda memiliki opsi untuk menggunakan alias. Kami menjelaskannya secara lebih rinci di halaman rekomendasi layanan surel kami. Pada dasarnya, layanan alias memungkinkan Anda untuk membuat alamat surel baru yang meneruskan semua surel ke alamat utama Anda. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Semua itu dapat disaring secara otomatis berdasarkan alias yang dikirim. +Jika Anda tidak ingin memberikan alamat surel asli Anda ke layanan, Anda memiliki opsi untuk menggunakan alias. We describe them in more detail on our email services recommendation page. Pada dasarnya, layanan alias memungkinkan Anda untuk membuat alamat surel baru yang meneruskan semua surel ke alamat utama Anda. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Semua itu dapat disaring secara otomatis berdasarkan alias yang dikirim. Jika layanan diretas, Anda mungkin akan mulai menerima surel phishing atau spam ke alamat yang Anda gunakan untuk mendaftar. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Jika layanan diretas, Anda mungkin akan mulai menerima surel phishing atau spam ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). Proses ini diperlukan setiap kali Anda ingin masuk ke akun yang sama. Keuntungan utama adalah: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Tetapi ada kelemahan: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/id/basics/email-security.md b/i18n/id/basics/email-security.md index 22400a7b..abc1aa82 100644 --- a/i18n/id/basics/email-security.md +++ b/i18n/id/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Surel adalah bentuk komunikasi yang tidak aman secara bawaan. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Surel adalah bentuk komunikasi yang tidak aman secara bawaan. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Akibatnya, surel paling baik digunakan untuk menerima surel transaksional (pemberitahuan, surel verifikasi, pengaturan ulang kata sandi, dll.) dari layanan yang Anda daftarkan secara daring, bukan untuk berkomunikasi dengan orang lain. ## Ikhtisar Enkripsi Surel -Cara standar untuk menambahkan E2EE ke surel antara penyedia surel yang berbeda adalah dengan menggunakan OpenPGP. Ada beberapa implementasi yang berbeda dari standar OpenPGP, yang paling umum adalah [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) dan [OpenPGP.js](https://openpgpjs.org). +Cara standar untuk menambahkan E2EE ke surel antara penyedia surel yang berbeda adalah dengan menggunakan OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Bahkan jika Anda menggunakan OpenPGP, ini tidak mendukung [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), yang berarti jika kunci privat Anda atau penerima dicuri, semua pesan sebelumnya yang dienkripsi dengan kunci tersebut akan terekspos. Inilah sebabnya mengapa kami merekomendasikan [instant messenger](../real-time-communication.md) yang menerapkan kerahasiaan ke depan melalui email untuk komunikasi orang-ke-orang bila memungkinkan. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Inilah sebabnya mengapa kami merekomendasikan [instant messenger](../real-time-communication.md) yang menerapkan kerahasiaan ke depan melalui email untuk komunikasi orang-ke-orang bila memungkinkan. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Apa itu standar Direktori Kunci Web? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email Selain [klien surel yang kami rekomendasikan](../email-clients.md), yang mendukung WKD, beberapa penyedia surel berabasis web juga mendukung WKD. Apakah kunci *Anda* diterbitkan ke WKD untuk digunakan orang lain tergantung pada konfigurasi domain Anda. Jika Anda menggunakan [penyedia surel](../email.md#openpgp-compatible-services) yang mendukung WKD, seperti Proton Mail atau Mailbox.org, mereka dapat mempublikasikan kunci OpenPGP Anda ke domain mereka untuk Anda. -Jika Anda menggunakan domain khusus Anda sendiri, Anda perlu mengonfigurasikan WKD secara terpisah. Jika Anda mengontrol nama domain Anda, Anda bisa menyiapkan WKD terlepas dari apa pun penyedia surel Anda. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Sebagai alternatif, Anda dapat [meng-host sendiri WKD di server web Anda sendiri](https://wiki.gnupg.org/WKDHosting). +Jika Anda menggunakan domain khusus Anda sendiri, Anda perlu mengonfigurasikan WKD secara terpisah. Jika Anda mengontrol nama domain Anda, Anda bisa menyiapkan WKD terlepas dari apa pun penyedia surel Anda. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Sebagai alternatif, Anda dapat [meng-host sendiri WKD di server web Anda sendiri](https://wiki.gnupg.org/WKDHosting). -Jika Anda menggunakan domain bersama dari penyedia yang tidak mendukung WKD, seperti @gmail.com, Anda tidak akan dapat berbagi kunci OpenPGP dengan orang lain melalui metode ini. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Klien Email Apa yang Mendukung E2EE? -Penyedia email yang memungkinkan Anda menggunakan protokol akses standar seperti IMAP dan SMTP dapat digunakan dengan salah satu klien email [yang kami rekomendasikan](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Penyedia email yang memungkinkan Anda menggunakan protokol akses standar seperti IMAP dan SMTP dapat digunakan dengan salah satu klien email [yang kami rekomendasikan](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Bagaimana Cara Melindungi Kunci Pribadi Saya? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. Ada juga sejumlah header tersembunyi yang disertakan oleh banyak klien dan penyedia email yang dapat mengungkapkan informasi tentang akun Anda. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Ada juga sejumlah header tersembunyi yang disertakan oleh banyak klien dan penyedia email yang dapat mengungkapkan informasi tentang akun Anda. Perangkat lunak klien dapat menggunakan metadata email untuk menunjukkan dari siapa pesan itu berasal dan jam berapa diterima. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Siapa yang Dapat Melihat Metadata Email? -Metadata email dilindungi dari pengamat luar dengan [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) melindunginya dari pengamat luar, tetapi masih dapat dilihat oleh perangkat lunak klien email Anda (atau webmail) dan server mana pun yang meneruskan pesan dari Anda ke penerima mana pun, termasuk penyedia email Anda. Terkadang server email juga akan menggunakan layanan pihak ketiga untuk melindungi dari spam, yang umumnya juga memiliki akses ke pesan Anda. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Terkadang server email juga akan menggunakan layanan pihak ketiga untuk melindungi dari spam, yang umumnya juga memiliki akses ke pesan Anda. ### Mengapa Metadata tidak bisa menjadi E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE pada awalnya tidak dibangun ke dalam protokol email, melainkan membutuhkan perangkat lunak tambahan seperti OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/id/email-aliasing.md b/i18n/id/email-aliasing.md index 1ac22332..1de2e0de 100644 --- a/i18n/id/email-aliasing.md +++ b/i18n/id/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Penyedia yang Direkomendasikan
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Kriteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/id/email-clients.md b/i18n/id/email-clients.md index 1334eced..8c8c8fa2 100644 --- a/i18n/id/email-clients.md +++ b/i18n/id/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Penyedia Layanan](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Serangan Bertarget](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/id/email.md b/i18n/id/email.md index 896be7d8..20e2eb98 100644 --- a/i18n/id/email.md +++ b/i18n/id/email.md @@ -22,19 +22,19 @@ Surel bisa dibilang merupakan kebutuhan untuk menggunakan layanan daring apa pun Untuk yang lainnya, kami merekomendasikan berbagai penyedia surel yang didasarkan pada model bisnis yang berkelanjutan serta fitur keamanan dan privasi bawaan. Baca [daftar lengkap kriteria kami](#criteria) untuk informasi lebih lanjut. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Uang Tunai | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Uang Tunai | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Uang Tunai | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Uang Tunai | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## Layanan yang Kompatibel dengan OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Sebagai contoh, pengguna Proton Mail dapat mengirim pesan E2EE ke pengguna Mailbox.org, atau Anda dapat menerima notifikasi terenkripsi OpenPGP dari layanan internet yang mendukungnya. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Sebagai contoh, pengguna Proton Mail dapat mengirim pesan E2EE ke pengguna Mailbox.org, atau Anda dapat menerima notifikasi terenkripsi OpenPGP dari layanan internet yang mendukungnya.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![ Proton Mail logo ]( assets/img/email/protonmail.svg){ align=right } -**Proton Mail** adalah layanan surel dengan fokus pada privasi, enkripsi, keamanan, dan kemudahan penggunaan. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** adalah layanan surel dengan fokus pada privasi, enkripsi, keamanan, dan kemudahan penggunaan. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Akun gratis memiliki beberapa keterbatasan, seperti tidak dapat mencari teks tubuh dan tidak memiliki akses ke [Proton Mail Bridge](https://proton.me/mail/bridge), yang diperlukan untuk menggunakan [klien surel desktop yang direkomendasikan](email-clients.md) (misalnya Thunderbird). Akun berbayar mencakup fitur-fitur seperti Proton Mail Bridge, penyimpanan tambahan, dan dukungan domain khusus. [Surat pengesahan](https://proton.me/blog/security-audit-all-proton-apps) diberikan untuk aplikasi Proton Mail pada tanggal 9 November 2021 oleh [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Akun berbayar mencakup fitur-fitur seperti Proton Mail Bridge, penyimpanan tambahan, dan dukungan domain khusus. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +[Surat pengesahan](https://proton.me/blog/security-audit-all-proton-apps) diberikan untuk aplikasi Proton Mail pada tanggal 9 November 2021 oleh [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Pelanggan Proton Mail berbayar dapat menggunakan domain mereka sendiri dengan la #### :material-check:{ .pg-green } Metode Pembayaran Pribadi -Proton Mail [menerima](https://proton.me/support/payment-options) uang tunai melalui pos selain kartu kredit/debit standar, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), dan pembayaran PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Keamanan Akun @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Email ke akun Proton Mail lainnya dienkripsi secara otomatis, dan enkripsi ke alamat non-Proton Mail dengan kunci OpenPGP dapat diaktifkan dengan mudah di pengaturan akun Anda. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. Hal ini memungkinkan orang yang tidak menggunakan Proton Mail untuk menemukan kunci OpenPGP akun Proton Mail dengan mudah, untuk lintas-penyedia E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail tidak menawarkan fitur warisan digital. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail tidak menawarkan fitur warisan digital. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. Mereka telah beroperasi sejak 2014. Mailbox.org berbasis di Berlin, Jerman. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Mereka telah beroperasi sejak 2014. Mailbox.org berbasis di Berlin, Jerman. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Metode Pembayaran Pribadi -Mailbox.org tidak menerima Bitcoin atau mata uang kripto lainnya sebagai karena prosesor pembayaran mereka BitPay menangguhkan operasi di Jerman. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org tidak menerima Bitcoin atau mata uang kripto lainnya sebagai karena prosesor pembayaran mereka BitPay menangguhkan operasi di Jerman. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Keamanan Akun -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Standar web seperti [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) belum didukung. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Keamanan Data Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Pesan baru yang Anda terima akan segera dienkripsi dengan kunci publik Anda. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. Fitur ini berguna ketika penerima jarak jauh tidak memiliki OpenPGP dan tidak dapat mendekripsi salinan email di kotak surat mereka sendiri. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Hal ini memungkinkan orang di luar Mailbox.org untuk menemukan kunci OpenPGP dari akun Mailbox.org dengan mudah, untuk lintas-penyedia E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org memiliki fitur warisan digital untuk semua paket. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org memiliki fitur warisan digital untuk semua paket. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## Penyedia Lainnya @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Keamanan Akun @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Email Hosting Mandiri Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum untuk Memenuhi Syarat:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Kasus Terbaik:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privasi @@ -337,30 +342,30 @@ Kami lebih memilih penyedia yang kami rekomendasikan untuk mengumpulkan data ses **Minimum untuk Memenuhi Syarat:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Kasus Terbaik:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Keamanan -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum untuk Memenuhi Syarat:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Kasus Terbaik:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Audit keamanan yang dipublikasikan dari perusahaan pihak ketiga yang memiliki reputasi baik. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Program bug-bounty dan/atau proses pengungkapan kerentanan yang terkoordinasi. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Email servers deal with a lot of very sensitive data. We expect that providers w ### Kepercayaan -Anda tidak akan mempercayakan keuangan Anda pada seseorang dengan identitas palsu, jadi mengapa mempercayakan surel Anda pada mereka? Kami mewajibkan penyedia layanan yang kami rekomendasikan untuk terbuka mengenai kepemilikan atau kepemimpinan mereka. Kami juga ingin melihat laporan transparansi yang lebih sering, terutama dalam hal bagaimana permintaan pemerintah ditangani. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Kami mewajibkan penyedia layanan yang kami rekomendasikan untuk terbuka mengenai kepemilikan atau kepemimpinan mereka. Kami juga ingin melihat laporan transparansi yang lebih sering, terutama dalam hal bagaimana permintaan pemerintah ditangani. **Minimum untuk Memenuhi Syarat:** @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum untuk Memenuhi Syarat:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Menjamin perlindungan anonimitas 100%. Ketika seseorang membuat klaim bahwa sesuatu itu 100%, itu berarti tidak ada kepastian untuk gagal. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Menggunakan kembali informasi pribadi (akun surel, nama samaran unik, dll.) yang mereka akses tanpa perangkat lunak anonimitas (Tor, VPN, dll.) - - [Sidik jari peramban](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Sidik jari peramban](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Kasus Terbaik:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Fungsionalitas Tambahan diff --git a/i18n/id/os/android-overview.md b/i18n/id/os/android-overview.md index 544d1b8d..4059f9e2 100644 --- a/i18n/id/os/android-overview.md +++ b/i18n/id/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/it/basics/account-creation.md b/i18n/it/basics/account-creation.md index 942ff827..fbb97898 100644 --- a/i18n/it/basics/account-creation.md +++ b/i18n/it/basics/account-creation.md @@ -42,7 +42,7 @@ Sarai responsabile della gestione delle tue credenziali di accesso. Per una magg #### Alias email -Se non desideri fornire il tuo indirizzo email reale a un servizio, puoi utilizzare un alias. Li abbiamo descritti in maggiore dettaglio sulla nostra pagina di consigli dei servizi email. In breve, i servizi di alias ti consentono di generare nuovi indirizzi email, che inoltrano tutte le email al tuo indirizzo principale. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Questi possono essere filtrati automaticamente in base all'alias a cui sono inviati. +Se non desideri fornire il tuo indirizzo email reale a un servizio, puoi utilizzare un alias. We describe them in more detail on our email services recommendation page. In breve, i servizi di alias ti consentono di generare nuovi indirizzi email, che inoltrano tutte le email al tuo indirizzo principale. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Questi possono essere filtrati automaticamente in base all'alias a cui sono inviati. Se un servizio dovesse essere violato, potresti iniziare a ricevere email di phishing o spam all'indirizzo utilizzato per iscriverti. Utilizzare alias univoci per ogni servizio può assisterti nell'identificare esattamente quale servizio è stato violato. @@ -50,19 +50,19 @@ Se un servizio dovesse essere violato, potresti iniziare a ricevere email di phi ### "Accedi con..." (OAuth) -OAuth è un protocollo d'autenticazione che ti consente di registrarti a un servizio senza condividere troppe informazioni con il fornitore del servizio, se necessarie, utilizzando un profilo esistente presso un altro servizio. Quando nel modulo di registrazione noti qualcosa di simile ad "Accedi con *nome del fornitore*", tipicamente sta utilizzando OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Quando nel modulo di registrazione noti qualcosa di simile ad "Accedi con *nome del fornitore*", tipicamente sta utilizzando OAuth. Quando accedi con OAuth, si aprirà una pagina di login con il provider scelto e l'account esistente e quello nuovo verranno collegati. La tua password non sarà condivisa, a differenza di alcune informazioni essenziali (che potrai revisionare durante la richiesta d'accesso). Questo procedimento è necessario ogni volta che desideri accedere allo stesso profilo. I principali vantaggi sono: -- **Sicurezza**: non devi affidarti alle pratiche di sicurezza del servizio cui ti stai connettendo quando si tratta di memorizzazione delle tue credenziali d'accesso, poiché sono memorizzate con il fornitore esterno di OAuth che, per quanto riguarda i servizi come Apple e Google, segue tipicamente le migliori pratiche di sicurezza, controlla costantemente i loro sistemi d'autenticazione e non memorizza le credenziali in modo inappropriato (come in testo semplice). -- **Facilità d'uso**: i profili multipli sono gestiti da un unico accesso. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Ma esistono degli svantaggi: -- **Privacy**: il fornitore di OAuth con cui effettui l'accesso conoscerà i servizi che utilizzi. -- **Centralizzazione**: Se il profilo che utilizzi per OAuth è compromesso, o non riesci ad accedervi, tutti gli altri profili a esso connesso ne saranno influenzati. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth può essere specialmente utile in quelle situazioni in cui potresti beneficiare dalla più profonda integrazione tra servizi. Il nostro consiglio è quello di limitare l'utilizzo di OAuth soltanto laddove necessario e di proteggere sempre il profilo principale con l'[AFM](multi-factor-authentication.md). diff --git a/i18n/it/basics/email-security.md b/i18n/it/basics/email-security.md index fe776428..aad83c5a 100644 --- a/i18n/it/basics/email-security.md +++ b/i18n/it/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -L'email è una forma non sicura di comunicazione di default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +L'email è una forma non sicura di comunicazione di default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Di conseguenza, l'email è utilizzata meglio per ricevere email di transazione (quali notifiche, email di verifica, ripristini di password, etc.) dai servizi cui ti iscrivi online, non per comunicare con gli altri. ## Panoramica sulla crittografia delle Email -Il metodo standard per aggiungere l'E2EE alle email tra diversi fornitori email è utilizzando OpenPGP. Esistono svariate implementazioni dello standard OpenPGP; le più comuni sono [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) e [OpenPGP.js](https://openpgpjs.org). +Il metodo standard per aggiungere l'E2EE alle email tra diversi fornitori email è utilizzando OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Anche se utilizzi OpenPGP, non supporta la [segretezza in avanti](https://en.wikipedia.org/wiki/Forward_secrecy), il che significa che se la chiave privata tua o del destinatario viene rubata, tutti i messaggi precedentemente crittografati saranno esposti. Ecco perché consigliamo la [messaggistica istantanea](../real-time-communication.md), che implementa la segretezza in avanti via email, per le comunicazioni personali, quando possibile. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Ecco perché consigliamo la [messaggistica istantanea](../real-time-communication.md), che implementa la segretezza in avanti via email, per le comunicazioni personali, quando possibile. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Che cos'è lo standard Web Key Directory? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email Oltre ai [client di posta elettronica che consigliamo](../email-clients.md) e che supportano WKD, anche alcuni provider di webmail supportano WKD. Se *la propria chiave* viene pubblicata su WKD per essere utilizzata da altri dipende dalla configurazione del dominio. Se utilizzi un [provider di posta elettronica](../email.md#openpgp-compatible-services) che supporta WKD, come Proton Mail o Mailbox.org, possono pubblicare la tua chiave OpenPGP sul loro dominio per te. -Se si utilizza un dominio personalizzato, è necessario configurare il WKD separatamente. Se si controlla il proprio nome di dominio, è possibile impostare il WKD indipendentemente dal provider di posta elettronica. Un modo semplice per farlo è quello di utilizzare la funzione "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" di keys.openpgp.org, impostando una voce CNAME sul sottodominio `openpgpkey` del tuo dominio che punta a `wkd.keys.openpgp.org`, poi caricando la tua chiave su [keys.openpgp.org](https://keys.openpgp.org). In alternativa, è possibile effettuare il [self-host del WKD sul proprio server web](https://wiki.gnupg.org/WKDHosting). +Se si utilizza un dominio personalizzato, è necessario configurare il WKD separatamente. Se si controlla il proprio nome di dominio, è possibile impostare il WKD indipendentemente dal provider di posta elettronica. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). In alternativa, è possibile effettuare il [self-host del WKD sul proprio server web](https://wiki.gnupg.org/WKDHosting). -Se utilizzi un dominio condiviso da un fornitore che non supporta WKD, come @gmail.com, non sarai in grado di condividere la tua chiave OpenPGP con altri tramite questo metodo. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Quali client email supportano E2EE? -I fornitori email che ti consentono di utilizzare i protocolli d'accesso standard come IMAP e SMTP, sono utilizzabili con qualsiasi [client email che consigliamo](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +I fornitori email che ti consentono di utilizzare i protocolli d'accesso standard come IMAP e SMTP, sono utilizzabili con qualsiasi [client email che consigliamo](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Come proteggo le mie chiavi private? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Panoramica sui metadati email -I metadati dell'email sono memorizzati nell'[intestazione del messaggio](https://en.wikipedia.org/wiki/Email#Message_header) email e includono alcune intestazioni visibili che potresti aver visto, come: `A`, `Da`, `Cc`, `Data`, `Oggetto`. Esistono anche numerose intestazioni nascoste, incluse da molti client e fornitori email, che possono rivelare informazioni sul tuo profilo. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Esistono anche numerose intestazioni nascoste, incluse da molti client e fornitori email, che possono rivelare informazioni sul tuo profilo. Il software client potrebbe utilizzare i metadati email per mostrare da chi proviene un messaggio e a che ora è stato ricevuto. I server potrebbero utilizzarlo per determinare dove dev'essere inviato un messaggio email, tra [gli altri scopi](https://en.wikipedia.org/wiki/Email#Message_header) non sempre trasparenti. ### Chi può visualizzare i metadati delle email? -I metadati dell'email sono protetti dagli osservatori esterni con il [TLS opportunistico](https://en.wikipedia.org/wiki/Opportunistic_TLS), ma sono comunque visualizzabili dal software del tuo client email (o webmail) e da qualsiasi server che trasmetta il messaggio da te a qualsiasi destinatario, incluso il tuo fornitore email. Talvolta i server email utilizzeranno i anche dei servizi di terze parti, per proteggere dallo spam che, generalmente, hanno accesso anche ai tuoi messaggi. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Talvolta i server email utilizzeranno i anche dei servizi di terze parti, per proteggere dallo spam che, generalmente, hanno accesso anche ai tuoi messaggi. ### Perché i metadati non possono essere E2EE? -I metadati dell'email sono fondamentali per le funzionalità di base dell'email (da dove proviene e dove deve andare). Originariamente, l'E2EE non è stata integrata nei protocolli email, richiedendo piuttosto dei software aggiuntivi, come OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +I metadati dell'email sono fondamentali per le funzionalità di base dell'email (da dove proviene e dove deve andare). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/it/email-aliasing.md b/i18n/it/email-aliasing.md index 640df73b..62e56d63 100644 --- a/i18n/it/email-aliasing.md +++ b/i18n/it/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Fornitori consigliati
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Scarica -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteri -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/it/email-clients.md b/i18n/it/email-clients.md index ca983f53..d6bf6bea 100644 --- a/i18n/it/email-clients.md +++ b/i18n/it/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Fornitori di Servizi](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Attacchi Mirati](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
L'email non fornisce la forward secrecy diff --git a/i18n/it/email.md b/i18n/it/email.md index 6efeacba..e0aa7ca0 100644 --- a/i18n/it/email.md +++ b/i18n/it/email.md @@ -22,19 +22,19 @@ L'email è praticamente una necessità per utilizzare qualsiasi servizio online, Per tutto il resto, consigliamo una varietà di provider di posta elettronica basati su modelli di business sostenibile e funzioni di sicurezza integrate. Leggi il nostro [elenco completo di criteri](#criteria) per ulteriori informazioni. -| Provider | OpenPGP / WKD | IMAP / SMTP | Crittografia a conoscenza zero | Pagamenti anonimi | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ---------------------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Solo a pgamento | :material-check:{ .pg-green } | Contanti | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Solo mail | Contanti | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Contanti attraverso terze parti | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Solo a pgamento | :material-check:{ .pg-green } | Contanti | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Solo mail | Contanti | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -Oltre a (o al posto di) un provider di posta elettronica consigliato qui, potreste prendere in considerazione un [servizio di aliasing e-mail](email-aliasing.md) dedicato per proteggere la vostra privacy. Tra le altre cose, questi servizi possono aiutare a proteggere la vostra casella di posta reale dallo spam, a impedire ai marketer di correlare i vostri account e a criptare tutti i messaggi in arrivo con PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Tra le altre cose, questi servizi possono aiutare a proteggere la vostra casella di posta reale dallo spam, a impedire ai marketer di correlare i vostri account e a criptare tutti i messaggi in arrivo con PGP. - [Maggiori informazioni :material-arrow-right-drop-circle:](email-aliasing.md) ## Servizi compatibili con OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Ad esempio, un utente di Proton Mail potrebbe inviare un messaggio E2EE a un utente Mailbox.org, o potresti ricevere notifiche crittografate in OpenPGP dai servizi Internet che le supportano. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Ad esempio, un utente di Proton Mail potrebbe inviare un messaggio E2EE a un utente Mailbox.org, o potresti ricevere notifiche crittografate in OpenPGP dai servizi Internet che le supportano.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Quando si utilizza una tecnologia E2EE come OpenPGP, la tua e-mail presenta ancora alcuni metadati non crittografati nell'intestazione dell'e-mail, tra cui generalmente l'oggetto! Per saperne di più sui [matadati delle e-mail](basics/email-security.md#email-metadata-overview). -Inoltre, OpenPGP non supporta la Forward Secrecy, ciò significa che se la chiave privata tua o del destinatario viene rubata, tutti i messaggi precedenti crittografati con essa, saranno esposti. [Come proteggo le mie chiavi private?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ Inoltre, OpenPGP non supporta la Forward Secrecy, ciò significa che se la chiav ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** è un servizio di posta elettronica incentrato su privacy, crittografia, sicurezza e facilità d'uso. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** è un servizio di posta elettronica incentrato su privacy, crittografia, sicurezza e facilità d'uso. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ Inoltre, OpenPGP non supporta la Forward Secrecy, ciò significa che se la chiav -Gli account gratuiti presentano delle limitazioni, come l'incapacità di cercare il testo del corpo e l'assenza dell'accesso a [Proton Mail Bridge](https://proton.me/mail/bridge), necessario per utilizzare un [client email desktop consigliato](email-clients.md) (come Thunderbird). I profili a pagamento includono funzionalità come Proton Mail Bridge, archiviazione aggiuntiva e supporto ai domini personalizzati. Una [lettera di attestazione](https://proton.me/blog/security-audit-all-proton-apps) è stata fornita per le applicazioni di Proton Mail il 9 novembre 2021 da [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). I profili a pagamento includono funzionalità come Proton Mail Bridge, archiviazione aggiuntiva e supporto ai domini personalizzati. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +Una [lettera di attestazione](https://proton.me/blog/security-audit-all-proton-apps) è stata fornita per le applicazioni di Proton Mail il 9 novembre 2021 da [Securitum](https://research.securitum.com). Proton Mail ha dei rapporti sugli arresti anomali interni che **non** sono condivisi con terze parti. Questa funzione può essere disattivata nell'applicazione web: :gear: → **Tutte le impostazioni** → **Account** → **Sicurezza e privacy** → **Privacy e raccolta dati**. @@ -93,7 +97,7 @@ Gli abbonati a Proton Mail a pagamento possono utilizzare il proprio dominio con #### :material-check:{ .pg-green } Metodi di pagamento privati -Proton Mail [accetta](https://proton.me/support/payment-options) contanti per posta, oltre ai normali pagamenti con carta di credito/debito, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) e PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Sicurezza dell'account @@ -109,7 +113,7 @@ Certe informazioni memorizzate su [Proton Contact](https://proton.me/support/pro Proton Mail ha una [crittografia OpenPGP integrata](https://proton.me/support/how-to-use-pgp) nella propria webmail. Le e-mail inviate ad altri account Proton Mail vengono crittografate automaticamente, e la crittografia verso indirizzi non Proton Mail con una chiave OpenPGP può essere abilitata nelle impostazioni dell'account. Proton also supports automatic external key discovery with WKD. Ciò significa che le e-mail inviate ad altri provider che utilizzano WKD saranno automaticamente crittografate con OpenPGP, senza dover scambiare manualmente le chiavi PGP pubbliche con i tuoi contatti. Consentono inoltre di [crittografare i messaggi inviati a indirizzi non Proton Mail senza OpenPGP](https://proton.me/support/password-protected-emails), senza la necessità di aprire un account Proton Mail. -Proton Mail pubblica anche le chiavi pubbliche degli account Proton via HTTP dal loro WKD. Ciò permette a coloro che non utilizzano Proton Mail, di trovare facilmente le chiavi OpenPGP dei profili di Proton Mail, per un'E2EE tra fornitori. Questo vale solo per gli indirizzi e-mail che terminano con uno dei domini di proprietà di Proton, come @proton.me. Se si utilizza un dominio personalizzato, è necessario [configurare il WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separatamente. +Proton Mail pubblica anche le chiavi pubbliche degli account Proton via HTTP dal loro WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Chiusura dell'account @@ -117,17 +121,17 @@ Se hai un account a pagamento e il tuo [abbonamento non viene pagato](https://pr #### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail non offre una funzionalità di eredità digitale. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Logo di Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** è un servizio email incentrato sull'essere sicuro, privo di pubblicità e alimentato privatamente da energia ecologica al 100%. Sono operativi dal 2014. Mailbox.org ha sede a Berlino, in Germania. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Sono operativi dal 2014. Mailbox.org ha sede a Berlino, in Germania. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org consente di utilizzare il proprio dominio e supporta gli indirizzi d #### :material-check:{ .pg-green } Metodi di pagamento privati -Mailbox.org non accetta criptovalute a causa della sospensione delle attività del suo elaboratore di pagamenti BitPay, in Germania. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org non accetta criptovalute a causa della sospensione delle attività del suo elaboratore di pagamenti BitPay, in Germania. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Sicurezza dell'account -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. È possibile utilizzare TOTP o una [YubiKey](https://en.wikipedia.org/wiki/YubiKey) tramite [YubiCloud](https://yubico.com/products/services-software/yubicloud). Gli standard Web come [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) non sono ancora supportati. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. È possibile utilizzare TOTP o una [YubiKey](https://en.wikipedia.org/wiki/YubiKey) tramite [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Sicurezza dei dati Mailbox.org consente la crittografia della posta in arrivo utilizzando la sua [casella di posta crittografata](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). I nuovi messaggi ricevuti, saranno immediatamente crittografati con la tua chiave pubblica. -Tuttavia, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la piattaforma software utilizzata da Mailbox.org, [non supporta](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) la crittografia della rubrica e del calendario. Un'[opzione indipendente](calendar.md) può essere più appropriata per tali informazioni. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Crittografia Email Mailbox.org ha la [crittografia integrata](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) nella sua webmail, il che semplifica l'invio di messaggi a persone con chiavi OpenPGP pubbliche. Inoltre, consentono ai [destinatari di decifrare un'e-mail](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) sui server di Mailbox.org. Questa funzionalità è utile quando il destinatario da remoto non ha OpenPGP e non può decrittografare una copia dell'email nella propria casella. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Questo permette a persone esterne a Mailbox.org di trovare facilmente le chiavi OpenPGP degli account di Mailbox.org, per un E2EE fra provider diversi. Questo vale solo per gli indirizzi e-mail che terminano con uno dei domini di Mailbox.org, come @mailbox.org. Se si utilizza un dominio personalizzato, è necessario [configurare il WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separatamente. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Chiusura dell'account @@ -176,7 +180,7 @@ Alla scadenza del contratto, l'account sarà impostato come account utente limit Tutti gli account sono dotati di uno spazio di archiviazione cloud limitato che [può essere crittografato](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org offre anche l'alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), che applica la crittografia TLS alla connessione tra i server di posta, altrimenti il messaggio non verrà inviato affatto. Mailbox.org supporta anche [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync), oltre ai protocolli di accesso standard come IMAP e POP3. -Mailbox.org dispone di una funzione di eredità digitale per tutti i piani. Puoi scegliere se desideri che i tuoi dati siano passati agli eredi, supponendo che lo richiedano e forniscano il tuo testamento. In alternativa, puoi nominare una persona per nome e indirizzo. +Mailbox.org dispone di una funzione di eredità digitale per tutti i piani. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. In alternativa, puoi nominare una persona per nome e indirizzo. ## Altri fornitori @@ -195,7 +199,9 @@ Questi fornitori memorizzano le tue email con la crittografia a conoscenza zero, ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Gli account Tuta a pagamento possono utilizzare 15 o 30 alias a seconda del pian #### :material-information-outline:{ .pg-blue } Metodi di pagamento privati -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Sicurezza dell'account @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Sicurezza dei dati -Tuta dispone di una [crittografia ad accesso zero a riposo](https://tuta.com/support#what-encrypted) per le e-mail, i [contatti della rubrica](https://tuta.com/support#encrypted-address-book) e i [calendari](https://tuta.com/support#calendar). Ciò significa che messaggi e altri dati memorizzati nel tuo profilo, sono leggibili soltanto da te. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Ciò significa che messaggi e altri dati memorizzati nel tuo profilo, sono leggibili soltanto da te. #### :material-information-outline:{ .pg-blue } Crittografia Email @@ -248,8 +254,6 @@ Tuta cancellerà gli [account gratuiti](https://tuta.com/support#inactive-accou Tuta offre la versione business di [Tuta alle organizzazioni non profit](https://tuta.com/blog/secure-email-for-non-profit) gratuitamente o con un enorme sconto. -Tuta non offre una funzionalità di eredità digitale. - ## Auto-Hosting Email Gli amministratori di sistema avanzati potrebbero considerare la configurazione del proprio server email. I server email richiedono attenzione e manutenzione continua, per mantenere tutto in sicurezza e la consegna delle email affidabile. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,52 +319,53 @@ Consideriamo queste funzionalità come importanti per poter fornire un servizio **Requisiti minimi:** -- Crittografia dei dati degli account email a riposo con crittografia ad "accesso zero". -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Opera su un'infrastruttura proprietaria, cioè, non basata su fornitori del servizio email di terze parti. - -**Miglior Caso:** - -- Crittografa tutti i dati del profilo (Contatti, Calendari, ecc.) a riposo con crittografia ad accesso zero. -- Crittografia E2EE/PGP della webmail integrata, fornita per comodità. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Gli utenti di GnuPG possono ottenere una chiave digitando: `gpg --locate-key example_user@example.com` -- Supporto per una casella temporanea per gli utenti esterni. Questo è utile quando desideri inviare un'email crittografata, senza inviare una copia effettiva al tuo destinatario. Queste email, solitamente, hanno una durata limitata, prima di essere eliminate automaticamente. Inoltre, non richiedono al destinatario di configurare alcuna crittografia, come OpenPGP. -- Disponibilità dei servizi del fornitore email tramite un [servizio onion](https://en.wikipedia.org/wiki/.onion). -- Supporto per il [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). I nomi di dominio personalizzati sono importanti per gli utenti, poiché consentono loro di mantenere la propria autonomia dal servizio, dovesse diventare negativo o essere acquisito da un'altra azienda che non dà priorità alla privacy. -- Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. - -### Privacy - -Preferiamo che i fornitori consigliati raccolgano il minor numero di dati possibile. - -**Requisiti minimi:** - -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Non richiedere informazioni d'identificazione personale (PII), tranne un nome utente e una password. -- Politica sulla privacy che soddisfi i requisiti definiti dal GDPR. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). I nomi di dominio personalizzati sono importanti per gli utenti, poiché consentono loro di mantenere la propria autonomia dal servizio, dovesse diventare negativo o essere acquisito da un'altra azienda che non dà priorità alla privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Caso migliore:** -- Accetta [opzioni di pagamento anonime](advanced/payments.md) ([criptovalute](cryptocurrency.md), contanti, carte regalo, etc.) -- Ospitato in una giurisdizione con forti regolamentazioni sulla protezione della privacy email. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Supporto per una casella temporanea per gli utenti esterni. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Queste email, solitamente, hanno una durata limitata, prima di essere eliminate automaticamente. Inoltre, non richiedono al destinatario di configurare alcuna crittografia, come OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). I nomi di dominio personalizzati sono importanti per gli utenti, poiché consentono loro di mantenere la propria autonomia dal servizio, dovesse diventare negativo o essere acquisito da un'altra azienda che non dà priorità alla privacy. +- Catch-all or alias functionality for those who use their own domains. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). -### Sicurezza +### Privacy -I server email gestiscono molti dati, estremamente sensibili. We expect that providers will adopt best industry practices in order to protect their customers. +Preferiamo che i provider da noi consigliati raccolgano il minor numero di dati possibile. **Requisiti minimi:** -- Protezione della webmail con 2FA, ad esempio TOTP. -- Zero access encryption, which builds on encryption at rest. Il provider non deve disporre delle chiavi di decrittazione dei dati in loro possesso. Questo previene che dipendenti disonesti possano trapelare i dati sensibili, o che un avversario remoto possa rilasciarli, dopo averli rubati, ottenendo un accesso non autorizzato al server. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. + +**Caso migliore:** + +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. + +### Sicurezza + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. + +**Requisiti minimi:** + +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. Il provider non deve disporre delle chiavi di decrittazione dei dati in loro possesso. Questo previene che dipendenti disonesti possano trapelare i dati sensibili, o che un avversario remoto possa rilasciarli, dopo averli rubati, ottenendo un accesso non autorizzato al server. - Supporto [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - Nessun errore o vulnerabilità TLS quando si viene profilato da strumenti come [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh) o [Qualys SSL Labs](https://ssllabs.com/ssltest); questo include errori relativi ai certificati e parametri DH deboli, come quelli che hanno portato a [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Una preferenza della suite del server (facoltativa su TLSv1.3), per forti suite di cifratura che supportino la segretezza in avanti e la crittografia autenticata. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Una valida politica [MTA-STS](https://tools.ietf.org/html/rfc8461) e [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Registri [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) validi. - Registri [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) validi. -- Disporre di un registro o una politica [DMARC](https://en.wikipedia.org/wiki/DMARC) adeguati o utilizzare [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) per l'autenticazione. Se si utilizza l'autenticazione DMARC, la politica dev'essere impostata su `rifiuta` o `quarantena`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Se si utilizza l'autenticazione DMARC, la politica dev'essere impostata su `rifiuta` o `quarantena`. - Preferenza per una suite di server TLS 1.2 o successiva e un piano per [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - Invio [SMTPS](https://en.wikipedia.org/wiki/SMTPS), supponendo che SMTP sia utilizzato. - Standard di sicurezza del sito web come: @@ -368,12 +373,12 @@ I server email gestiscono molti dati, estremamente sensibili. We expect that pro - [Integrità Subresource](https://en.wikipedia.org/wiki/Subresource_Integrity) se si caricano oggetti da domini esterni. - Must support viewing of [message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. -**Miglior Caso:** +**Caso migliore:** -- Supporto all'autenticazione hardware, cioè U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [Registro Risorse di Autorizzazione dell'Autorità del Certificato (CAA) DNS](https://tools.ietf.org/html/rfc6844), oltre al supporto DANE. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Controlli di sicurezza pubblicati da uno studio di terze parti affidabile. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Programmi di caccia ai bug e/o un processo di divulgazione delle vulnerabilità coordinato. - Standard di sicurezza del sito web, quali: - [Politica sulla Sicurezza dei Contenuti (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,13 +386,13 @@ I server email gestiscono molti dati, estremamente sensibili. We expect that pro ### Fiducia -Non affideresti le tue finanze a qualcuno con un'identità falsa, quindi, perché affidare loro la tua email? Richiediamo ai nostri fornitori fidati di essere pubblici sulla propria proprietà o dirigenza. Inoltre, vorremmo vedere rapporti di trasparenza frequenti, specialmente relativi alla gestione delle richieste del governo. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Richiediamo che i fornitori da noi consigliati rendano pubbliche la propria dirigenza o proprietà. Inoltre, vorremmo vedere rapporti di trasparenza frequenti, specialmente relativi alla gestione delle richieste del governo. **Requisiti minimi:** - Dirigenza o proprietà rivolta al pubblico. -**Miglior Caso:** +**Caso migliore:** - Rapporti di trasparenza frequenti. @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Requisiti minimi:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Dichiarazioni di "crittografia impenetrabile." La crittografia dovrebbe essere utilizzata con l'intenzione che possa non essere segreta in futuro, quando esisterà la tecnologia per decifrarla. -- Garantire la protezione dell'anonimato al 100%. Quando qualcuno afferma che qualcosa è al 100%, significa che non vi è certezza di fallimento. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Riutilizzo di informazioni personali, es. (profili email, pseudonimi univoci, etc.), accessibili senza software di anonimato (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Caso migliore:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Funzionalità aggiuntive -Sebbene non siano strettamente necessari, esistono ulteriori fattori di comodità o privacy che abbiamo analizzato, determinando quali fornitori consigliare. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/it/os/android-overview.md b/i18n/it/os/android-overview.md index 5c316cc6..b17389c2 100644 --- a/i18n/it/os/android-overview.md +++ b/i18n/it/os/android-overview.md @@ -132,7 +132,7 @@ Se hai un account Google, ti suggeriamo di iscriverti al [Programma di protezion Il Programma di Protezione Avanzata fornisce un migliore monitoraggio delle minacce, e consente: -- Autenticazione a due fattori più rigida; ad esempio, [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **deve** essere utilizzato e non è consentito l'uso di [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) e [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - L'accesso ai dati del profilo soltanto a Google e alle app verificate di terze parti - Scansione delle email in entrata sui profili Gmail, in cerca di tentativi di [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ Se possiedi un dispositivo al termine della vita, distribuito con Android 10 o s All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disabilita questa funzionalità per limitare i dati raccolti su di te. -Sulle distribuzioni Android con [Google Play in modalità sandbox](https://grapheneos.org/usage#sandboxed-google-play), vai su :gear: **Impostazioni** → **App** → **Sandboxed Google Play** → **Impostazioni di Google** → **Pubblicità** e seleziona *Elimina ID pubblicitario*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Controlla diff --git a/i18n/ja/basics/account-creation.md b/i18n/ja/basics/account-creation.md index d5b7bcce..1e1732a6 100644 --- a/i18n/ja/basics/account-creation.md +++ b/i18n/ja/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### 電子メールのエイリアス -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. 主な利点は以下の通りです。 -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. しかし、以下のデメリットもあります。 -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/ja/basics/email-security.md b/i18n/ja/basics/email-security.md index 6b618112..8d81e1f9 100644 --- a/i18n/ja/basics/email-security.md +++ b/i18n/ja/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## 電子メールの暗号化の概要 -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## 電子メールのメタデータの概要 -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### 誰が電子メールのメタデータを見ることができますか? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### メタデータをE2EEにできない理由 -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/ja/email-aliasing.md b/i18n/ja/email-aliasing.md index 9e969478..fc01344f 100644 --- a/i18n/ja/email-aliasing.md +++ b/i18n/ja/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## 推奨するサービスプロバイダー
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## 規準 -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/ja/email-clients.md b/i18n/ja/email-clients.md index 903f6f59..6100cdec 100644 --- a/i18n/ja/email-clients.md +++ b/i18n/ja/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/ja/email.md b/i18n/ja/email.md index b7b33e4f..31d1502a 100644 --- a/i18n/ja/email.md +++ b/i18n/ja/email.md @@ -22,19 +22,19 @@ global: それ以外にも、持続可能なビジネスモデル、組み込まれたセキュリティーとプライバシー機能に基づき、様々な電子メールプロバイダーを推奨します。 詳細については、[基準の完全なリスト](#criteria)をお読みください。 -| プロバイダー | OpenPGP / WKD | IMAP / SMTP | ゼロアクセス暗号化 | 匿名での支払い | -| --------------------------- | -------------------------------------- | -------------------------------------------------- | ------------------------------------------------ | ---------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 有料プランのみ | :material-check:{ .pg-green } | 現金 | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } メールのみ | 現金 | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | サードバーティ経由でのMonero & 現金 | +| プロバイダー | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | -------------------------------------------------- | ------------------------------------------------ | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 有料プランのみ | :material-check:{ .pg-green } | 現金 | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } メールのみ | 現金 | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -上記の推奨するEメールプロバイダーに加え(もしくは代わりに)、プライバシー保護のために[Eメールエイリアスサービス](email-aliasing.md)を検討してください。 特に、スパムから実際の受信トレイを保護し、企業のマーケティング活動によるアカウントの関連付けを防ぎ、すべての受信メールをPGPで暗号化することができます。 +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. 特に、スパムから実際の受信トレイを保護し、企業のマーケティング活動によるアカウントの関連付けを防ぎ、すべての受信メールをPGPで暗号化することができます。 - [詳細 :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP対応サービス -OpenPGPによる暗号化・復号化や[Web Key Directory(WKD)規格](basics/email-security.md#what-is-the-web-key-directory-standard)をネイティブサポートしているプロバイダーでは、プロバイダーに依存しないエンドツーエンド暗号化メールが利用可能です。 例えば、Proton MailのユーザはMailbox.orgのユーザにE2EEメッセージを送れますし、OpenPGPで暗号化された通知を、それをサポートするインターネットサービスから受け取ることができます。 +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. 例えば、Proton MailのユーザはMailbox.orgのユーザにE2EEメッセージを送れますし、OpenPGPで暗号化された通知を、それをサポートするインターネットサービスから受け取ることができます。
@@ -48,7 +48,9 @@ OpenPGPによる暗号化・復号化や[Web Key Directory(WKD)規格](basics/em OpenPGPのようなE2EE(エンドツーエンド暗号化)を利用しても、件名などを含むメールのヘッダーには暗号化されていないメタデータが残ります! 詳細は [電子メールのメタデータ](basics/email-security.md#email-metadata-overview)のページにあります。 -OpenPGPは前方秘匿性に対応していないため、送信者であるあなたか受信者の秘密鍵が盗まれた場合、その秘密鍵で暗号化した過去を含めたすべてのメッセージが暗号化解除可能な状態となります。 [秘密鍵を保護するには?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGPは前方秘匿性に対応していないため、送信者であるあ ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** は、プライバシー、暗号化、セキュリティ、使いやすさを重視したメールサービスです。 2013年からサービスが稼働しました。 Proton AGはスイスのジュネーブを拠点としています。 Proton Mailの無料プランのメールストレージは500MBから始まり、無料で1GBまで増やすことができます。 +**Proton Mail** は、プライバシー、暗号化、セキュリティ、使いやすさを重視したメールサービスです。 2013年からサービスが稼働しました。 Proton AGはスイスのジュネーブを拠点としています。 + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: ウェブページ](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGPは前方秘匿性に対応していないため、送信者であるあ -無料アカウントには本文の検索ができないことや、 [推奨されるデスクトップメールクライアント](email-clients.md) (Thunderbirdなど)を使用するために必要な [Proton Mail Bridge](https://proton.me/mail/bridge) を利用できないといった制限があります。 有料アカウントにはProton Mail Bridge、追加ストレージ、カスタムドメインのサポートなどの機能が含まれています。 [Securitum](https://research.securitum.com)により2021年11月9日 [監査証明書](https://proton.me/blog/security-audit-all-proton-apps) がProton Mailアプリにおくられました。 +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). 有料アカウントにはProton Mail Bridge、追加ストレージ、カスタムドメインのサポートなどの機能が含まれています。 Proton Unlimitedプランや複数ユーザープランの場合、[SimpleLogin](email-aliasing.md#simplelogin)も無料で利用できます。 -Proton Unlimitedプランや複数ユーザープランの場合、[SimpleLogin](email-aliasing.md#simplelogin)も無料で利用できます。 +[Securitum](https://research.securitum.com)により2021年11月9日 [監査証明書](https://proton.me/blog/security-audit-all-proton-apps) がProton Mailアプリにおくられました。 Proton Mailのクラッシュレポートは第三者に共有**されません**。 これはウェブアプリで無効にすることができます::gear: → **すべての設定** → **アカウント** → **セキュリティとプライバシー** → **プライバシーとデータ収集**。 @@ -93,7 +97,7 @@ Proton Mailの有料会員は独自ドメインでサービスや [キャッチ #### :material-check:{ .pg-green } プライベートな支払い方法 -Proton Mailは標準的なクレジット・デビットカード、 [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) 、またPayPalでの支払いに加え、現金の郵送も [受け付けています](https://proton.me/support/payment-options) 。 +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } アカウントのセキュリティ @@ -109,7 +113,7 @@ Proton Mailはメールと [カレンダー](https://proton.me/news/protoncalend Proton Mailはwebメールに [OpenPGP暗号化を組み込んでいます。](https://proton.me/support/how-to-use-pgp) 他のProton Mailアカウントへのメールは自動的に暗号化され、OpenPGPキーによる非Proton Mailアドレスへの暗号化はアカウント設定から簡単に有効化できます。 ProtonはWKDによる外部の鍵の自動探索にも対応しています。 WKDを使った他のプロバイダーに送信されるEメールは自動的にOpenPGPで暗号化され、PGP公開鍵と連絡先を手動で交換する必要はありません。 また、[Proton Mailではないアドレスに送るメッセージをOpenPGPを使わずに暗号化する](https://proton.me/support/password-protected-emails)こともでき、受信者はProton Mailアカウントへのサインアップが必要ありません。 -Proton MailではProtonアカウントの公開鍵をWKDからHTTP経由で公開します。 これにより、Proton Mailを使っていない人でも、Proton MailアカウントのOpenPGPキーを簡単に見つけることができ、プロバイダをまたいだE2EEが可能になります。 @proton.meのようなProtonが所有するドメインのEメールアドレスのみ対象です。 カスタムドメインを使用する場合、[WKDの設定](./basics/email-security.md#what-is-the-web-key-directory-standard)が必要になります。 +Proton MailではProtonアカウントの公開鍵をWKDからHTTP経由で公開します。 This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } アカウントの停止 @@ -117,9 +121,7 @@ Proton MailではProtonアカウントの公開鍵をWKDからHTTP経由で公 #### :material-information-outline:{ .pg-blue } 追加機能 -Proton Mailの[Unlimited](https://proton.me/support/proton-plans#proton-unlimited)プランでは複数のカスタムドメイン、無制限のEメールエイリアスや500GBのストレージに加え、その他のProtonサービスを利用することができます。 - -Proton Mailにはデジタル遺産の機能はありません。 +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mailにはデジタル遺産の機能はありません。 ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** は安全、広告なし、プライベートでいることを重視した、100%エコエネルギーで運営されているメールサービスです。 2014年から運営をされています。 Mailbox.orgはドイツのベルリンに拠点を置いています。 各アカウントには最大2GBのストレージが割当てられ、必要に応じてアップグレードできます。 +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. 2014年から運営をされています。 Mailbox.orgはドイツのベルリンに拠点を置いています。 + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: ウェブページ](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="プライバシーポリシー" } @@ -148,23 +152,23 @@ Mailbox.orgでは独自ドメインを使うことができ、[キャッチオ #### :material-check:{ .pg-green } プライベートな支払い方法 -Mailbox.orgは決済プロセッサBitPayがドイツでの業務を停止したために暗号通貨を受け付けていません。 郵送による現金払い、銀行口座への銀金払い、銀行振込、クレジットカード、Paypalとドイツの支払いサービスであるpaydirektとSofortüberweisungに対応しています。 +Mailbox.orgは決済プロセッサBitPayがドイツでの業務を停止したために暗号通貨を受け付けていません。 However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } アカウントのセキュリティ -Mailbox.orgはウェブメールに限り、[二要素認証](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa)に対応しています。 TOTPもしくは[YubiCloud](https://yubico.com/products/services-software/yubicloud)経由の[YubiKey](https://en.wikipedia.org/wiki/YubiKey)を利用できます。 [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) などのウェブ標準はまだサポートされていません。 +Mailbox.orgはウェブメールに限り、[二要素認証](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa)に対応しています。 TOTPもしくは[YubiCloud](https://yubico.com/products/services-software/yubicloud)経由の[YubiKey](https://en.wikipedia.org/wiki/YubiKey)を利用できます。 Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } データのセキュリティ Mailbox.orgでは[暗号化されたメールボックス](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox)により受信メールを暗号化することができます。 新しいメッセージを受信するとすぐにあなたの公開鍵で暗号化されます。 -ただし、Mailbox.orgが利用している[Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange)はアドレス帳やカレンダーの暗号化は[対応していません](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book)。 その情報については、 [スタンドアロンオプション](calendar.md) の方が適切であるかもしれません。 +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } メールの暗号化 Mailbox.orgのウェブメールは[暗号化機能が組みこまれており](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard)、OpenPGP公開鍵を持つ人へのメッセージの送信が簡単にできます。 Mailbox.orgのサーバー上で[受信者がEメールの復号化をすることもできます](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp)。 この機能はリモートの受信者がOpenPGPを持っておらず、自分のメールボックスにあるメールのコピーを複合できない場合に便利です。 -Mailbox.orgはWKDによりHTTP経由で公開鍵を探索することにも対応しています。 これにより、Mailbox.orgを使っていない人でも、Mailbox.orgアカウントのOpenPGPキーを簡単に見つけることができ、プロバイダをまたいだE2EEが可能になります。 @mailbox.orgのようなMailbox.orgが所有するドメインのEメールアドレスのみ対象です。 カスタムドメインを使用する場合、[WKDの設定](./basics/email-security.md#what-is-the-web-key-directory-standard)が必要になります。 +Mailbox.orgはWKDによりHTTP経由で公開鍵を探索することにも対応しています。 This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } アカウントの停止 @@ -176,7 +180,7 @@ Mailbox.orgの[.onionサービス](https://kb.mailbox.org/en/private/faq-article すべてのアカウントで[暗号化可能な](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive)制限付きクラウドストレージが利用できます。 Mailbox.orgには[@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely)というメールサーバー間の接続にTLS暗号化が必須であるエイリアスもあり、TLS暗号化がなければメッセージは全く送信できません。 Mailbox.orgはIMAPやPOP3のような標準的なアクセスプロトコルに加え、 [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) もサポートしています。 -Mailbox.orgの全てのプランにはデジタル遺産機能があります。 相続人が申請し、遺言書を提出することを条件に、自分のデータを相続人に渡すかどうかを選択することができます。 または、名前と住所で人を指名することもできます。 +Mailbox.orgの全てのプランにはデジタル遺産機能があります。 You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. または、名前と住所で人を指名することもできます。 ## その他のプロバイダ @@ -195,7 +199,9 @@ Mailbox.orgの全てのプランにはデジタル遺産機能があります。 ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (旧 *Tutanota*)は暗号化によるセキュリティとプライバシーを重視したメールサービスです。 Tutaは2011年に設立され、ドイツのハノーバーに拠点を置いています。 無料アカウントは1GBのストレージが利用できます。 +**Tuta** (旧 *Tutanota*)は暗号化によるセキュリティとプライバシーを重視したメールサービスです。 Tutaは2011年に設立され、ドイツのハノーバーに拠点を置いています。 + +Free accounts start with 1 GB of storage. [:octicons-home-16: ウェブページ](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="プライバシーポリシー" } @@ -226,7 +232,7 @@ Tutaは[IMAPプロトコル](https://tuta.com/support#imap)やサードパーテ #### :material-information-outline:{ .pg-blue } プライベートな支払い方法 -TutaはクレジットカードもしくはPaypalのみ受け付けていますが、ProxyStoreとの[提携](https://tuta.com/support/#cryptocurrency)により、[暗号通貨](cryptocurrency.md)でギフトカードを購入することができます。 +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } アカウントのセキュリティ @@ -234,7 +240,7 @@ TutaはTOTPもしくはU2Fによる[二要素認証](https://tuta.com/support#2f #### :material-check:{ .pg-green } データのセキュリティ -TutaはEメールや[アドレス帳の連絡先](https://tuta.com/support#encrypted-address-book)、[カレンダー](https://tuta.com/support#calendar)の[ゼロアクセス暗号化](https://tuta.com/support#what-encrypted)に対応しています。 アカウントに保存されたメッセージやその他データはあなたにしか読むことができません。 +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). アカウントに保存されたメッセージやその他データはあなたにしか読むことができません。 #### :material-information-outline:{ .pg-blue } メールの暗号化 @@ -248,8 +254,6 @@ Tutaは6ヶ月間[アクティブではないフリープランのアカウン Tutaは[非営利団体](https://tuta.com/blog/secure-email-for-non-profit)向けに無料もしくは大幅な割引価格でビジネス版Tutaを提供しています。 -Tutaにはデジタルレガシー機能はありません。 - ## セルフホストメール システム管理に詳しいのであれば、自前のメールサーバーの構築を検討することも一つの手段です。 安全性とメール配信の信頼性を維持するには、メールサーバーへの注意と継続的なメンテンナンスが必要になります。 以下の「オールインワン」な方法に加え、手動で設定するための記事を取り上げました: @@ -315,21 +319,22 @@ Stalwartにはウェブメールが**ない**ため、[専用のEメールクラ **最低条件:** -- ゼロアクセス暗号化によりEメールアカウントのデータを暗号化していること。 -- [Mbox](https://en.wikipedia.org/wiki/Mbox)もしくは[RFC5322](https://datatracker.ietf.org/doc/rfc5322)に基づいた個別の.EMLファイルとしてエクスポートできること。 -- 自社所有のインフラで運用されていること。第三者のEメールサービスプロバイダーによるサービス提供ではないこと。 +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). プロバイダーが悪化したり、プライバシーを重視しない他の会社に買収されたりした場合に備えることができるため、カスタムドメイン名はユーザーにとって非常に重要である。 +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **満たされることが望ましい基準:** -- ゼロアクセス暗号化により、すべてのアカウントのデータ(連絡先、カレンダーなど)が暗号化されていること。 -- 利便性のため、E2EE/PGP暗号化できるウェブメールがあること。 -- HTTP経由でのOpenPGP公開鍵の探索をしやすくするため、WKDへ対応していること。 GnuPGでは次のスクリプトで鍵を取得できます: `gpg --locate-key example_user@example.com` -- 外部ユーザー用の一時的なメールボックスがあること。 受信者に実際のメールのコピーを送るのではなく、暗号化されたメールを送る際に役立ちます。 通常の場合、一時的なメールボックスのメールには期限があり、自動的に削除されます。 また、受信者はOpenPGPのような暗号化を設定する必要がありません。 -- [.onionサービス](https://en.wikipedia.org/wiki/.onion)経由でEメールプロバイダーのサービスが利用できること。 -- [サブアドレス](https://en.wikipedia.org/wiki/Email_address#Sub-addressing)に対応していること。 -- ユーザーの独自[ドメイン名](https://en.wikipedia.org/wiki/Domain_name)が利用できること。 プロバイダーが悪化したり、プライバシーを重視しない他の会社に買収されたりした場合に備えることができるため、カスタムドメイン名はユーザーにとって非常に重要である。 +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- 外部ユーザー用の一時的なメールボックスがあること。 This is useful when you want to send an encrypted email without sending an actual copy to your recipient. 通常の場合、一時的なメールボックスのメールには期限があり、自動的に削除されます。 また、受信者はOpenPGPのような暗号化を設定する必要がありません。 +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). プロバイダーが悪化したり、プライバシーを重視しない他の会社に買収されたりした場合に備えることができるため、カスタムドメイン名はユーザーにとって非常に重要である。 - 独自ドメインを利用した際、キャッチオール機能もしくはエイリアス機能があること。 -- IMAP、SMTPや[JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol)などの標準的なEメールプロトコルを使用していること。 標準的なプロトコルを採用していることで、他のプロバイダーへ変更する際にすべてのメールを簡単にダウンロードすることができます。 +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). 標準的なプロトコルを採用していることで、他のプロバイダーへ変更する際にすべてのメールを簡単にダウンロードすることができます。 +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### プライバシー @@ -337,30 +342,30 @@ Stalwartにはウェブメールが**ない**ため、[専用のEメールクラ **最低条件:** -- 送信者のIPアドレスが保護されていること。`Received`ヘッダーフィールドに表示されないようフィルタリングすることを含む。 -- ユーザー名とパスワード以外に、個人情報(PII)を必要としない。 -- プライバシーポリシーがGDPRの要件を満たしている。 +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **満たされることが望ましい基準:** -- [匿名の支払い方法](advanced/payments.md)([暗号通貨](cryptocurrency.md)、現金、ギフトカードなど)を受け入れること -- 強固な電子メールのプライバシー保護法の管轄区域でホストされていること +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### セキュリティー -メールサーバーは、非常に機密性の高いデータを大量に扱います。 プロバイダーが顧客を保護するために業界のベストプラクティスを採用することを期待している。 +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **最低条件:** -- TOTPなどの二要素認証によるウェブメールの保護。 -- 保存データの暗号化に基づく、ゼロアクセス暗号化。 プロバイダーは保有するデータの復号鍵を持たないこと。 不正を働く従業員がアクセスしたデータを流出させたり、遠隔地の敵対者がサーバーに不正アクセスして盗んだデータを公開したりすることを防ぐことができます。 +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. プロバイダーは保有するデータの復号鍵を持たないこと。 不正を働く従業員がアクセスしたデータを流出させたり、遠隔地の敵対者がサーバーに不正アクセスして盗んだデータを公開したりすることを防ぐことができます。 - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)のサポート。 - [Hardenize](https://hardenize.com)や[testssl.sh](https://testssl.sh)、[Qualys SSL Labs](https://ssllabs.com/ssltest)などのツールでプロファイリングした際にTLSエラーや脆弱性がないこと。証明書関連のエラーや[Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security))の原因となった弱いDHパラメーターを含みます。 -- サーバーの暗号スイート設定が(TLSv1.3では任意となっている)前方秘匿性と認証付き暗号に対応する強力な暗号スイートを優先していること。 +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - 有効な [MTA-STS](https://tools.ietf.org/html/rfc8461) および [TLS-RPT](https://tools.ietf.org/html/rfc8460) ポリシー。 - 有効な[DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)レコード。 - 有効な[SPF](https://ja.wikipedia.org/wiki/Sender_Policy_Framework)および[DKIM](https://ja.wikipedia.org/wiki/DKIM)レコード。 -- 適切な[DMARC](https://en.wikipedia.org/wiki/DMARC)レコード及びポリシーを設定している、もしくは認証に[ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain)を使用していること。 DMARC認証を使用している場合、ポリシーは`reject`か`quarantine`に設定していること。 +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. DMARC認証を使用している場合、ポリシーは`reject`か`quarantine`に設定していること。 - サーバーの暗号スイートがTLS1.2以降であること、及び[RFC8996](https://datatracker.ietf.org/doc/rfc8996)への対応計画があること。 - [SMTPS](https://en.wikipedia.org/wiki/SMTPS)によるメール送信。 - 以下のようなウェブサイトのセキュリティ基準: @@ -370,10 +375,10 @@ Stalwartにはウェブメールが**ない**ため、[専用のEメールクラ **満たされることが望ましい基準:** -- ハードウェア認証のサポート、つまり U2Fおよび[WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)。 +- Should support hardware authentication, i.e. U2Fおよび[WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)。 - DANEへの対応と[DNS Certification Authority Authorization(CAA)リソースレコード](https://tools.ietf.org/html/rfc6844)の設定。 -- メーリングリストに投稿する際に役立つ[RFC8617](https://tools.ietf.org/html/rfc8617) [Authenticated Received Chain(ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain)が実装されていること。 -- 信頼できる第三者機関によるセキュリティ監査を公表 +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - バグ報奨金プログラム、協調的な脆弱性開示プロセス。 - 以下のようなウェブサイトのセキュリティ基準: - [コンテンツセキュリティポリシー(CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Stalwartにはウェブメールが**ない**ため、[専用のEメールクラ ### 信頼 -あなたは偽の身分証を持つ人物に自分の財政を託すことはないでしょう。電子メールに関しても、同じことが言えるはずです。 推奨されるサービスプロバイダーには、自社の所有権やリーダーシップについて公表することが求められます。 また、特に政府からの要請がどのように処理されるかについて、透明性の高い報告が頻繁に行われることを望んでいます。 +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? 推奨されるサービスプロバイダーには、自社の所有権やリーダーシップについて公表することが求められます。 また、特に政府からの要請がどのように処理されるかについて、透明性の高い報告が頻繁に行われることを望んでいます。 **最低条件:** @@ -393,24 +398,21 @@ Stalwartにはウェブメールが**ない**ため、[専用のEメールクラ ### マーケティング -推奨するEメールプロバイダーには責任あるマーケティングを求めます。 +With the email providers we recommend, we like to see responsible marketing. **最低条件:** -- アナリティクスをセルフホスティングしていること(Google AnalyticsやAdobe Analyticsを使用していないこと)。 - -以下のような無責任なマーケティングは行ってはなりません: - -- 「破れない暗号化」という主張。 暗号化は、その暗号化を破る技術が将来になって現れた際には、それがもはや秘密ではなくなってしまうかもしれないということを念頭に置いて使用されるべきものです。 -- 匿名性を100%保証するという主張。 誰かが何かを100%だと主張するとき、それは失敗の確実性が全く存在しないということを意味します。 例えば、以下のような匿名化を簡単に解除する様々な方法があります。 - - - 匿名化ソフトウェア(Tor、VPNなど)を使わずにアクセスした個人情報(メールアカウント、ハンドルネームなど)を再利用する - - [ブラウザーのフィンガープリンティングを行うこと。](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [ブラウザーのフィンガープリンティングを行うこと。](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **満たされることが望ましい基準:** -- 二要素認証、メールクライアント、OpenPGPなどの設定に関する明確で読みやすいドキュメント。 +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### 追加機能 -厳密な要件ではありませんが、推奨するサービスプロバイダーを決定する際に考慮した利便性やプライバシーの要素が他にもいくつかあります。 +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ja/os/android-overview.md b/i18n/ja/os/android-overview.md index 1ac2fb05..63e8e577 100644 --- a/i18n/ja/os/android-overview.md +++ b/i18n/ja/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run Google Play Servicesがインストールされているすべてのデバイスは、ターゲット広告に使用される[広告 ID](https://support.google.com/googleplay/android-developer/answer/6048248)を自動的に生成します。 この機能を無効にすると、あなたについて収集されるデータを制限できます。 -[サンドボックス化されたGoogle Play](https://grapheneos.org/usage#sandboxed-google-play)を備えたAndroid ディストリビューションでは、:gear: **設定** → **アプリ** → **Sandboxed Google Play** → **Google Settings** → **広告**に移動し、*Delete advertising ID*を選択します。 +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/ko/basics/account-creation.md b/i18n/ko/basics/account-creation.md index ce5317bb..f9afbac2 100644 --- a/i18n/ko/basics/account-creation.md +++ b/i18n/ko/basics/account-creation.md @@ -42,7 +42,7 @@ The Privacy Policy is how the service says they will use your data, and it is wo #### 이메일 별칭 -실제 이메일 주소를 서비스에 노출하지 않고자 하는 경우 이메일 별칭을 사용할 수 있습니다. (이메일 별칭 관련 자세한 내용은 이메일 서비스 권장 목록 페이지를 참고하세요.) 이메일 별칭 서비스를 사용하면 주요 이메일 주소로 모든 이메일이 전달되는 새로운 이메일 주소를 만들 수 있습니다. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 어떤 별칭으로 보내졌는지에 따라 자동으로 분류되기 때문입니다. +실제 이메일 주소를 서비스에 노출하지 않고자 하는 경우 이메일 별칭을 사용할 수 있습니다. We describe them in more detail on our email services recommendation page. 이메일 별칭 서비스를 사용하면 주요 이메일 주소로 모든 이메일이 전달되는 새로운 이메일 주소를 만들 수 있습니다. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 어떤 별칭으로 보내졌는지에 따라 자동으로 분류되기 때문입니다. 서비스가 해킹당할 경우, 가입한 이메일 주소로 피싱/스팸 메일이 올 수 있습니다. 서비스마다 고유한 별칭을 사용하면 어떤 서비스가 해킹당했는지 식별 가능합니다. @@ -50,19 +50,19 @@ The Privacy Policy is how the service says they will use your data, and it is wo ### '~ (으)로 로그인' (OAuth) -OAuth는 가입하려는 서비스 제공 업체와 많은 정보를 공유하지 않고도, 다른 서비스에서 이미 사용 중이던 기존 계정을 이용해서 서비스에 가입할 수 있는 인증 프로토콜입니다. 가입 시에 '*제공 업체* (으)로 로그인' 문구로 표시되는 방식이 OAuth를 사용하는 것입니다. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. 가입 시에 '*제공 업체* (으)로 로그인' 문구로 표시되는 방식이 OAuth를 사용하는 것입니다. Oauth 로그인을 선택할 경우, OAuth 제공 업체의 로그인 페이지를 거쳐 계정이 연결됩니다. 여러분의 비밀번호는 공유되지 않지만, 보통 일부 기본 정보(로그인 과정에서 검토 가능합니다)는 공유됩니다. 이 과정은 해당 계정에 로그인할 때마다 필요합니다. 주요 장점은 다음과 같습니다: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **사용 편의성**: 하나의 로그인으로 여러 계정을 관리할 수 있습니다. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. 단점은 다음과 같습니다: -- **프라이버시**: OAuth 제공 업체는 사용자가 어떤 서비스를 사용하는지 알 수 있습니다. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. 되도록 OAuth는 필요한 경우에만 사용하고, 주요 계정은 [MFA](multi-factor-authentication.md)로 보호할 것을 권장드립니다. diff --git a/i18n/ko/basics/email-security.md b/i18n/ko/basics/email-security.md index 80ce824f..9647435e 100644 --- a/i18n/ko/basics/email-security.md +++ b/i18n/ko/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -기본적으로, 이메일은 안전하지 않은 통신 형식입니다. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +기본적으로, 이메일은 안전하지 않은 통신 형식입니다. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. 따라서, 이메일은 다른 사람과 통신하는 용도로는 사용하지 않고, 가입한 온라인 서비스에서 보내는 사무 관련 이메일(알림, 인증 메일, 비밀번호 초기화 등) 수신 용도로 사용하는 것이 가장 좋습니다. ## 이메일 암호화 개요 -서로 다른 이메일 제공 업체 간의 이메일에 E2EE를 적용하는 표준 방법은 OpenPGP를 사용하는 것입니다. OpenPGP 표준에는 여러 구현체가 존재하며, [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard)와 [OpenPGP.js](https://openpgpjs.org)가 보편적입니다. +서로 다른 이메일 제공 업체 간의 이메일에 E2EE를 적용하는 표준 방법은 OpenPGP를 사용하는 것입니다. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -OpenPGP를 사용하더라도 [순방향 비밀성(Forward secrecy)](https://en.wikipedia.org/wiki/Forward_secrecy)을 지원하지 않으므로, 본인 혹은 수신자의 개인 키가 도난당할 경우 해당 키로 암호화된 이전 메시지가 전부 노출됩니다. 따라서, 개인 간 의사소통에는 이메일보다는 순방향 비밀성이 구현된 [메신저](../real-time-communication.md)를 이용하실 것을 권장드립니다. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. 따라서, 개인 간 의사소통에는 이메일보다는 순방향 비밀성이 구현된 [메신저](../real-time-communication.md)를 이용하실 것을 권장드립니다. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### E2EE 지원 이메일 클라이언트는 무엇인가요? -IMAP, SMTP 등 표준 접속 프로토콜을 사용할 수 있는 이메일 제공 업체는 [권장 이메일 클라이언트](../email-clients.md)와 함께 사용할 수 있습니다. Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +IMAP, SMTP 등 표준 접속 프로토콜을 사용할 수 있는 이메일 제공 업체는 [권장 이메일 클라이언트](../email-clients.md)와 함께 사용할 수 있습니다. Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### 개인 키를 어떻게 보호해야 하나요? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## 이메일 메타데이터 개요 -이메일 메타데이터는 이메일 메시지의 [메시지 헤더](https://en.wikipedia.org/wiki/Email#Message_header)에 저장됩니다. 이메일 메타데이터에는 여러분이 봐왔을 `To`(받는사람), `From`(보낸사람), `Cc`(참조), `Date`(보낸 날짜), `Subject`(제목) 등이 포함됩니다. 이외에도 여러 숨겨진 헤더가 이메일 클라이언트 및 제공 업체로부터 추가되며, 이러한 정보는 여러분의 계정에 대한 정보를 노출시킬 수 있습니다. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. 이외에도 여러 숨겨진 헤더가 이메일 클라이언트 및 제공 업체로부터 추가되며, 이러한 정보는 여러분의 계정에 대한 정보를 노출시킬 수 있습니다. 클라이언트 소프트웨어는 이메일 메타데이터를 사용해 메시지의 발신자와 수신 시간을 표시할 수 있습니다. 서버는 항상 투명하지만은 않은 [다른 목적지](https://en.wikipedia.org/wiki/Email#Message_header) 중 어디에 이메일을 보내야 할지 결정하는 데에 메타데이터를 활용할 수 있습니다. ### 이메일 메타데이터는 누가 볼 수 있나요? -이메일 메타데이터는 [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)를 통해 외부 관찰자로부터 보호됩니다. 하지만 여러분이 사용하는 이메일 클라이언트 소프트웨어나 웹메일은 메타데이터를 볼 수 있습니다. 또한 여러분의 이메일 제공 업체를 포함한, 여러분과 상대 수신자 사이의 모든 메시지 전달 서버 역시 메타데이터를 볼 수 있습니다. 이메일 서버 중에는 스팸 차단 목적으로 타사 서비스를 사용하기도 하는데, 보통 이런 타사 서비스도 여러분의 메시지에 접근할 수 있습니다. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. 이메일 서버 중에는 스팸 차단 목적으로 타사 서비스를 사용하기도 하는데, 보통 이런 타사 서비스도 여러분의 메시지에 접근할 수 있습니다. ### 메타데이터는 종단 간 암호화를 적용할 수 없나요? -이메일 메타데이터는 이메일의 가장 기본적인 기능(어디에서 왔는지, 어디로 가야하는지 등)에 매우 중요한 역할을 합니다. 이메일 프로토콜에는 본래 E2EE가 내장되지 않았기 때문에, OpenPGP 등의 애드온 소프트웨어가 필요합니다. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +이메일 메타데이터는 이메일의 가장 기본적인 기능(어디에서 왔는지, 어디로 가야하는지 등)에 매우 중요한 역할을 합니다. E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/ko/email-aliasing.md b/i18n/ko/email-aliasing.md index 33f0cfe6..0883b08b 100644 --- a/i18n/ko/email-aliasing.md +++ b/i18n/ko/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## 권장 제공 업체
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## 평가 기준 -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/ko/email-clients.md b/i18n/ko/email-clients.md index 6f19a0a6..98886a1b 100644 --- a/i18n/ko/email-clients.md +++ b/i18n/ko/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: 서비스 제공자/제공 업체(Service Providers)](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: 표적 공격(Targeted Attacks)](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/ko/email.md b/i18n/ko/email.md index 466d45c0..a4d6d1a9 100644 --- a/i18n/ko/email.md +++ b/i18n/ko/email.md @@ -22,19 +22,19 @@ global: 그 외 용도로 이메일을 사용한다면, 지속 가능한 비즈니스 모델을 갖추고 보안 및 프라이버시 기능을 기본 제공하는 이메일 제공 업체를 권장합니다. 자세한 사항은 [전체 평가 기준](#criteria)을 참고해 주세요. -| 서비스 제공자 | OpenPGP/WKD | IMAP / SMTP | 제로 액세스 암호화 | 익명 결제 | -| --------------------------- | -------------------------------------- | -------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 유료 요금제만 | :material-check:{ .pg-green } | 현금 | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | 현금 | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| 서비스 제공자 | OpenPGP/WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | -------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 유료 요금제만 | :material-check:{ .pg-green } | 현금 | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | 현금 | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP 호환 서비스 -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. 예를 들어, Proton Mail 사용자는 Mailbox.org 사용자에게 E2EE 메시지를 보내거나, OpenPGP 지원 인터넷 서비스에서 OpenPGP로 암호화된 알림을 받을 수 있습니다. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. 예를 들어, Proton Mail 사용자는 Mailbox.org 사용자에게 E2EE 메시지를 보내거나, OpenPGP 지원 인터넷 서비스에서 OpenPGP로 암호화된 알림을 받을 수 있습니다.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail 로고](assets/img/email/protonmail.svg){ align=right } -**Proton Mail**은 프라이버시, 암호화, 보안, 사용 편의성에 중점을 둔 이메일 서비스입니다. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail**은 프라이버시, 암호화, 보안, 사용 편의성에 중점을 둔 이메일 서비스입니다. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -무료 계정은 본문 텍스트 검색이 불가능하고 [Proton Mail Bridge](https://proton.me/mail/bridge)(Thunderbird 등 [권장 데스크톱 이메일 클라이언트](email-clients.md)를 사용하려면 필수적인 기능)를 사용할 수 없습니다. 유료 계정에는 Proton Mail Bridge, 추가 저장 공간, 사용자 지정 도메인 지원 등의 기능이 제공됩니다. Proton Mail 앱 [감사 증명서](https://proton.me/blog/security-audit-all-proton-apps)는 2021년 11월 9일에 [Securitum](https://research.securitum.com)에서 발급하였습니다. +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). 유료 계정에는 Proton Mail Bridge, 추가 저장 공간, 사용자 지정 도메인 지원 등의 기능이 제공됩니다. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +Proton Mail 앱 [감사 증명서](https://proton.me/blog/security-audit-all-proton-apps)는 2021년 11월 9일에 [Securitum](https://research.securitum.com)에서 발급하였습니다. Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail 유료 이용자는 서비스에서 자신의 도메인을 사용하 #### :material-check:{ .pg-green } 비공개 결제 수단 -Proton Mail은 일반 신용/직불 카드, [비트코인](advanced/payments.md#other-coins-bitcoin-ethereum-etc), Paypal, 현금 우편 결제를 [지원합니다](https://proton.me/support/payment-options). +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } 계정 보안 @@ -109,7 +113,7 @@ Proton Mail은 이메일 및 [캘린더](https://proton.me/news/protoncalendar-s Proton Mail은 웹메일에 [OpenPGP 암호화 기능을 내장](https://proton.me/support/how-to-use-pgp)하고 있습니다. 다른 Proton Mail 계정으로 보내는 이메일은 자동으로 암호화되며, Proton Mail 외 주소로 보내는 이메일에 대한 OpenPGP 암호화는 계정 설정에서 간편하게 활성화할 수 있습니다. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. 이로써 Proton Mail을 사용하지 않는 사람도 Proton Mail OpenPGP 키를 쉽게 찾아 서로 다른 제공 업체 간 E2EE 적용이 가능합니다. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } 계정 해지 @@ -117,17 +121,17 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } 추가 기능 -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail은 디지털 유산 상속 기능을 제공하지 않습니다. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org 로고](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org**는 100% 친환경 에너지로 작동되는 안전하고, 광고가 없는 비공개 중점 이메일 서비스입니다. 2014년부터 운영되었습니다. Mailbox.org 본사는 독일 베를린에 위치하고 있습니다. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. 2014년부터 운영되었습니다. Mailbox.org 본사는 독일 베를린에 위치하고 있습니다. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org는 고유 도메인을 사용할 수 있으며, [캐치올](https:// #### :material-check:{ .pg-green } 비공개 결제 수단 -Mailbox.org는 BitPay 결제 처리업체가 독일에서 운영을 중단함에 따라 어떠한 암호화폐도 받지 않습니다. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org는 BitPay 결제 처리업체가 독일에서 운영을 중단함에 따라 어떠한 암호화폐도 받지 않습니다. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } 계정 보안 -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. [YubiCloud](https://yubico.com/products/services-software/yubicloud)를 통해 TOTP 또는 [YubiKey](https://en.wikipedia.org/wiki/YubiKey) 를 사용할 수 있습니다. [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) 등의 웹 표준은 아직 지원되지 않습니다. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. [YubiCloud](https://yubico.com/products/services-software/yubicloud)를 통해 TOTP 또는 [YubiKey](https://en.wikipedia.org/wiki/YubiKey) 를 사용할 수 있습니다. Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } 데이터 보안 Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). 새로 수신하는 메시지는 즉시 공개 키로 암호화됩니다. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. 해당 데이터에 대해서는 [다른 솔루션](calendar.md)을 찾는것이 적합할 수 있습니다. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } 이메일 암호화 Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. OpenPGP가 없어 수신자가 자신의 메일함에서 직접 복호화할 수 없을 경우에 이 기능을 사용할 수 있습니다. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Mailbox.org를 사용하지 않는 사람들은 Mailbox.org 계정의 OpenPGP 공개키를 쉽게 찾을 수 있고, 플랫폼과 무관하게 종단간 암호화를 할 수 있습니다. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } 계정 해지 @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org는 모든 플랜에 디지털 유산 상속 기능을 제공합니다. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org는 모든 플랜에 디지털 유산 상속 기능을 제공합니다. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## 그외 제공자 @@ -195,7 +199,9 @@ Mailbox.org는 모든 플랜에 디지털 유산 상속 기능을 제공합니 ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } 비공개 결제 수단 -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } 계정 보안 @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } 데이터 보안 -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). 즉, 계정에 저장된 메시지 및 기타 데이터는 사용자 본인만 읽을 수 있습니다. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). 즉, 계정에 저장된 메시지 및 기타 데이터는 사용자 본인만 읽을 수 있습니다. #### :material-information-outline:{ .pg-blue } 이메일 암호화 @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## 자체 호스팅 이메일 고급 시스템 관리자는 자체 이메일 서버를 구축하는 것도 고려할 수 있습니다. 메일 서버는 보안과 메일 전달 역할을 신뢰성 있고 안정적으로 유지하기 위해 지속적인 주의 및 유지 관리가 필요합니다. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **최소 요구 사항:** -- Zero Access Encryption을 통해 이메일 계정 데이터를 암호화해야 합니다. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- 자체 인프라에서 운영되어야 합니다. 다른 이메일 서비스 제공 업체의 인프라를 기반으로 만들어진 서비스여선 안 됩니다. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 사용자 지정 도메인 이름은 서비스가 부실해지거나 프라이버시 보호를 우선시하지 않는 다른 회사에 인수되는 경우에도 에이전시를 유지할 수 있도록 해주기 때문에 사용자에게 중요합니다. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **우대 사항:** -- Zero Access Encryption을 통해 모든 계정 데이터(연락처, 캘린더 등)를 암호화해야 합니다. -- 웹메일에 E2EE/PGP 암호화가 통합되어 있어서 편리하게 사용할 수 있어야 합니다. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG 사용자는 `gpg --locate-key example_user@example.com`를 입력하여 키를 얻을 수 있습니다. -- 외부 사용자를 위해 임시 메일함을 지원해야 합니다. 수신자에게 실제 사본을 보내지 않고 암호화된 이메일을 보내고자 할 때 유용합니다. 이러한 이메일은 보통 수명이 제한돼 있으며 이후 자동으로 삭제됩니다. 수신자가 OpenPGP 등의 암호화를 설정할 필요가 없습니다. -- [Onion 서비스](https://en.wikipedia.org/wiki/.onion)를 통해 이메일 서비스를 이용할 수 있어야 합니다. -- [하위 주소](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) 지원. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 사용자 지정 도메인 이름은 서비스가 부실해지거나 프라이버시 보호를 우선시하지 않는 다른 회사에 인수되는 경우에도 에이전시를 유지할 수 있도록 해주기 때문에 사용자에게 중요합니다. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- 외부 사용자를 위해 임시 메일함을 지원해야 합니다. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. 이러한 이메일은 보통 수명이 제한돼 있으며 이후 자동으로 삭제됩니다. 수신자가 OpenPGP 등의 암호화를 설정할 필요가 없습니다. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 사용자 지정 도메인 이름은 서비스가 부실해지거나 프라이버시 보호를 우선시하지 않는 다른 회사에 인수되는 경우에도 에이전시를 유지할 수 있도록 해주기 때문에 사용자에게 중요합니다. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### 프라이버시 @@ -337,30 +342,30 @@ Privacy Guides이 권장하는 제공자들은 최소한의 데이터만을 수 **최소 요구 사항:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- 사용자 이름과 비밀번호 외에 개인 식별 정보(PII, Personally Identifiable Information)를 요구하지 않아야 합니다. -- 프라이버시 정책은 GDPR에서 정의한 요구 사항을 충족해야 합니다. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **우대 사항:** -- [익명 결제 수단](advanced/payments.md)([암호 화폐](cryptocurrency.md), 현금, 기프트 카드 등)을 지원해야 합니다. -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### 보안 -이메일 서버는 매우 민감한 데이터를 대량으로 처리합니다. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **최소 요구 사항:** -- 웹메일은 2FA(TOTP 등)로 보호되어야 합니다. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)를 지원해야 합니다. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Privacy Guides이 권장하는 제공자들은 최소한의 데이터만을 수 **우대 사항:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- 검증된 제 3자로부터 보안 감사 결과가 게시됨 +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - 버그 바운티 프로그램 또는 체계적인 취약점 공개 프로세스가 있음 - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **최소 요구 사항:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- "절대 뚫리지 않는 암호화" 등의 주장을 해선 안 됩니다. 암호화는 미래에 해당 암호화를 무력화할 수 있는 기술이 등장할 수 있다는 것을 항상 염두에 두고 사용해야 합니다. -- "100% 익명성 보장" 만약 누군가가 100%라고 주장한다면, 이는 절대 실패할 수 없다고 하는 것과 같습니다. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [브라우저 핑거프린팅](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [브라우저 핑거프린팅](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **우대 사항:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### 추가 기능 -엄격하게 적용한 요구 사항은 아니지만, 이 외의 편의성/프라이버시 요소 일부 또한 고려하여 권장 제공 업체를 결정했습니다. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ko/os/android-overview.md b/i18n/ko/os/android-overview.md index 9b2711d0..85e0bd2d 100644 --- a/i18n/ko/os/android-overview.md +++ b/i18n/ko/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr 고급 보호 프로그램은 향상된 위협 모니터링 기능을 제공합니다. -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Google 및 인증된 제3자 앱만이 계정 데이터에 접근 가능 - Google 계정의 받은 편지함에서 [피싱](https://en.wikipedia.org/wiki/Phishing#Email_phishing) 시도 스캔 - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. 이 기능을 비활성화하여 수집되는 데이터를 제한할 수 있습니다. -[Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play)가 존재하는 Android 배포판의 경우, :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, *Delete advertising ID*를 선택하세요. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. 확인해보세요. diff --git a/i18n/ku-IQ/basics/account-creation.md b/i18n/ku-IQ/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/ku-IQ/basics/account-creation.md +++ b/i18n/ku-IQ/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/ku-IQ/basics/email-security.md b/i18n/ku-IQ/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/ku-IQ/basics/email-security.md +++ b/i18n/ku-IQ/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/ku-IQ/email-aliasing.md b/i18n/ku-IQ/email-aliasing.md index bc73aeb2..fbeaee7d 100644 --- a/i18n/ku-IQ/email-aliasing.md +++ b/i18n/ku-IQ/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## دابینکەرانی پێشنیارکراو
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/ku-IQ/email-clients.md b/i18n/ku-IQ/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/ku-IQ/email-clients.md +++ b/i18n/ku-IQ/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/ku-IQ/email.md b/i18n/ku-IQ/email.md index 0aee0dc8..df8f7b08 100644 --- a/i18n/ku-IQ/email.md +++ b/i18n/ku-IQ/email.md @@ -22,19 +22,19 @@ global: بۆ هەموو شتێکی تر، ئێمە دابینکەری پۆستەی ئەلکتڕۆنی جۆراوجۆر پێشنیاردەکەین لەسەر بنەمای شێوازی بازرگانی پشتپێبەستراو و تایبەتمەندیەکانی پاراستن و تایبەتێێی. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## خزمەتگوزاریەکانی گونجاون لەگەڵ OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. بۆ نموونە: بەکارهێنەرێکی Proton Mail دەتوانێت پەیامێکی E2EE بنێرێت بۆ بەکارهێنەرێکی Mailbox.org، یان دەتوانیت ئاگادارکردنەوەی OpenPGP-شفرکراوت پێ بگات لەڕێی ئەو خزمەتگوزاریانەی پشتگیری دەکەن. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. بۆ نموونە: بەکارهێنەرێکی Proton Mail دەتوانێت پەیامێکی E2EE بنێرێت بۆ بەکارهێنەرێکی Mailbox.org، یان دەتوانیت ئاگادارکردنەوەی OpenPGP-شفرکراوت پێ بگات لەڕێی ئەو خزمەتگوزاریانەی پشتگیری دەکەن.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![لۆگۆی Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** خزمەتگوزاریەکی پۆستەی ئەلکتڕۆنیە، کە سەرنجی هەبوونی تایبەتێتی، شفرکردن، پارێزراوی، وە ئاسان لە بەکارهێنان دروست کراوە. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** خزمەتگوزاریەکی پۆستەی ئەلکتڕۆنیە، کە سەرنجی هەبوونی تایبەتێتی، شفرکردن، پارێزراوی، وە ئاسان لە بەکارهێنان دروست کراوە. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -هەژمارە بەخۆڕایەکان هەندێک سنووریان هەیە، وەک نەتوانینی گەڕان لەناو دەقی نامە و مافی نەبوونی بەکارهێنانی [Proton Mail Bridge](https://proton.me/mail/bridge)، کە پێویستە بۆ بەکارهێنانی[ ڕاژەخوازە پێشنیارکراوەکانی سەر کۆمپیوتەر](email-clients.md) (نـم. Thunderbird). هەژمارە پارەدراوەکان هەندێک تایبەتمەندی لەخۆدەگرن وەک Proton Mail Bridge، کۆگای زیادە، و پشتگیری دۆمەینە تایبەتەکان. [نامەیەکی تاقیکردنەوە](https://proton.me/blog/security-audit-all-proton-apps) بە مەبەستی لایەنگری بۆ کاربەرنامەکانی Proton Mail پێشکەشکرا لە 9ـی تشرینی دووەمی(نۆڤێمبەری) ساڵی 2021 لەلایەن [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). هەژمارە پارەدراوەکان هەندێک تایبەتمەندی لەخۆدەگرن وەک Proton Mail Bridge، کۆگای زیادە، و پشتگیری دۆمەینە تایبەتەکان. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +[نامەیەکی تاقیکردنەوە](https://proton.me/blog/security-audit-all-proton-apps) بە مەبەستی لایەنگری بۆ کاربەرنامەکانی Proton Mail پێشکەشکرا لە 9ـی تشرینی دووەمی(نۆڤێمبەری) ساڵی 2021 لەلایەن [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green }شێوازی پارەدانی نهێنی -Proton Mail پارەی نەخت [وەردەگرێت](https://proton.me/support/payment-options) لەڕێگای پۆستە, لەگەڵ شێوازە باوەکانی تری پارەدان وەک [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)، credit/debit card، و Paypal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green }پارێزراوێتی هەژمار @@ -109,7 +113,7 @@ Proton Mail تەکنەلۆژیای [شفرکردن و تێپەڕبوونی-ئە Proton Mail [شفرکردنی OpenPGP زیادکردووە](https://proton.me/support/how-to-use-pgp) بۆ ماڵپەری پۆستەی ئەلکتڕۆنییەکەیان. پۆستەی ئەلکتڕۆنی نێوان هەژمارەکانی Proton Mail خۆکارانە شفرکراوە، بەڵام شفرکردن لە نێوان Proton Mail و پۆستەی ئەلکتڕۆنی تر شفردەکرێن بە ئاسانی لەڕێگەی کلیلی OpenPGP، کە لە ڕێکخستنەکانی هەژمارەکەت هەیە. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. ئەمەڕێگە ئەو کەسانە دەدات کە Proton Mail بەکار ناهێنن بۆئەوەی کلیکە گشتیەکانی هەژماری Proton Mail بە ئاسانی بدۆزنەوە. تا ببێتە هۆی گونجاندن لەگەڵ دابینکەرانی تری E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار @@ -117,9 +121,7 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } کرداری زیادە -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Poton Mail کرداری میراتی دیجیتاڵی پێشکەش ناکات. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Poton Mail کرداری میراتی دیجیتاڵی پێشکەش ناکات. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox** خزمەتگوزاریەکی پۆستەی ئەلکتڕۆنیە کە جەخت لە هەبوونی سەلامەتی و بێ بەرامبەری تایبەتێتی و کارکردن بە وزەیەکی %100ـی هاوڕێی ژینگە. ئەوان لە **2014**ـەوە لە کاردان. Mailbox.org دەکەوێتە بەرلین، لە ئەڵمانیا. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. ئەوان لە **2014**ـەوە لە کاردان. Mailbox.org دەکەوێتە بەرلین، لە ئەڵمانیا. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green }شێوازی پارەدانی نهێنی -Mailbox.org هیچ جۆرە دراوێکی دیجیتاڵی قبوڵ ناکات بەهۆی ڕاگرتنی کارەکانی شێوازی پارەدانەکەیان BitPay لە ئەڵمانیا. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org هیچ جۆرە دراوێکی دیجیتاڵی قبوڵ ناکات بەهۆی ڕاگرتنی کارەکانی شێوازی پارەدانەکەیان BitPay لە ئەڵمانیا. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green }پارێزراوێتی هەژمار -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). شیوازە باوەکانی وەک [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) هێشتا پشتگیری نەکراون. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue }پارێزراوێتی زانیاری Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). نامە نوێکانی کە تۆ وەریدەگری ڕاستەوخۆ بە کلیلی گشتیت شفر دەکرێن. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. [بژاردەیەکی سەربەخۆ](calendar.md) لەوانەیە گونجاوتر بێت بۆ ئەم زانیاریە. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } شفرکردنی پۆستەی ئەلکتڕۆنی Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. ئەم تایبەتمەندیە بەسوودە کاتێک وەرگر لە دوورەوە OpenPGPـی نییە و ناتوانێت شفرەکە لەسەر لەبەرگیراوەیەکی پۆستەکە لاببات لە سندووقی پۆستەکانی خۆیدا. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. ئەمە ڕێگە بە کەسانی دەرەوەی Mailbox.org دەدات کە کلیلەکانی OpenPGP بۆ هەژمارەکانی Mailbox.org بە ئاسانی بدۆزنەوە، تا ببێتە هۆی گونجاندن لەگەڵ دابینکەرانی تری E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green }پارێزراوێتی هەژمار @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green }پارێزراوێتی زانیاری -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/ku-IQ/os/android-overview.md b/i18n/ku-IQ/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/ku-IQ/os/android-overview.md +++ b/i18n/ku-IQ/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/nl/basics/account-creation.md b/i18n/nl/basics/account-creation.md index 8bbd42ad..b6eee9b4 100644 --- a/i18n/nl/basics/account-creation.md +++ b/i18n/nl/basics/account-creation.md @@ -42,7 +42,7 @@ Je bent verantwoordelijk voor het beheer van jouw inloggegevens. Voor extra beve #### E-mail aliassen -Als je jouw echte e-mailadres niet aan een dienst wilt geven, kunt je een alias gebruiken. We hebben deze in meer detail beschreven op onze pagina met aanbevelingen voor e-maildiensten. Met alias diensten kunt je nieuwe e-mailadressen aanmaken die alle e-mails doorsturen naar jouw hoofdadres. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Die kunnen automatisch worden gefilterd op basis van de alias waarnaar ze worden gestuurd. +Als je jouw echte e-mailadres niet aan een dienst wilt geven, kunt je een alias gebruiken. We describe them in more detail on our email services recommendation page. Met alias diensten kunt je nieuwe e-mailadressen aanmaken die alle e-mails doorsturen naar jouw hoofdadres. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Die kunnen automatisch worden gefilterd op basis van de alias waarnaar ze worden gestuurd. Als een dienst wordt gehackt, kunt je phishing- of spam-e-mails ontvangen op het adres waarmee je je hebt aangemeld. Het gebruik van unieke aliassen voor elke service kan helpen bij het identificeren van precies welke service is gehackt. @@ -50,19 +50,19 @@ Als een dienst wordt gehackt, kunt je phishing- of spam-e-mails ontvangen op het ### Meld je aan met... OAuth -OAuth is een authenticatieprotocol waarmee je je kan registreren voor een dienst zonder veel informatie te delen met de dienstverlener, als die er al is, door in plaats daarvan gebruik te maken van een bestaande account die je hebt bij een andere dienst. Wanneer je iets ziet in de trant van "Aanmelden met *providernaam*" op een registratieformulier, dan betreft dat meestal OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Wanneer je iets ziet in de trant van "Aanmelden met *providernaam*" op een registratieformulier, dan betreft dat meestal OAuth. Wanneer je met OAuth inlogt, wordt een inlogpagina geopend met de aanbieder die je kiest, en jouw bestaande account en nieuwe account zullen worden verbonden. Jouw wachtwoord wordt niet gedeeld, maar sommige basisinformatie wel (je kunt deze bekijken tijdens het inlogverzoek). Dit proces is nodig elke keer dat je wilt inloggen op hetzelfde account. De belangrijkste voordelen zijn: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Gebruiksgemak**: meerdere accounts worden beheerd door één enkele login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Maar er zijn ook nadelen: -- **Privacy**: de OAuth provider waarmee je je aanmeldt kent de diensten die je gebruikt. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Onze aanbeveling is om OAuth alleen te gebruiken waar je het nodig hebt, en altijd de hoofdaccount te beschermen met [MFA](multi-factor-authentication.md). diff --git a/i18n/nl/basics/email-security.md b/i18n/nl/basics/email-security.md index 13aee7a2..7e5a6bd9 100644 --- a/i18n/nl/basics/email-security.md +++ b/i18n/nl/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -E-mail is standaard een onveilige vorm van communicatie. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +E-mail is standaard een onveilige vorm van communicatie. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Als gevolg hiervan wordt e-mail het beste gebruikt voor het ontvangen van transactionele e-mails (zoals meldingen, verificatie-e-mails, wachtwoordresets, enz.) van de services waarvoor je je online aanmeldt, niet voor het communiceren met anderen. ## Overzicht van e-mailversleuteling -De standaardmanier om E2EE toe te voegen aan e-mails tussen verschillende e-mailproviders is door OpenPGP te gebruiken. Er zijn verschillende implementaties van de OpenPGP-standaard, waarvan [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) en [OpenPGP.js](https://openpgpjs.org)de meest voorkomende zijn. +De standaardmanier om E2EE toe te voegen aan e-mails tussen verschillende e-mailproviders is door OpenPGP te gebruiken. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Zelfs als je OpenPGP gebruikt, biedt het geen ondersteuning voor [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), wat betekent dat als jouw privésleutel of die van de ontvanger ooit wordt gestolen, alle eerdere berichten die ermee zijn versleuteld, openbaar worden. Daarom bevelen wij [instant messengers](../real-time-communication.md) aan, die indien mogelijk forward secrecy implementeren in plaats van e-mail voor communicatie van persoon tot persoon. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Daarom bevelen wij [instant messengers](../real-time-communication.md) aan, die indien mogelijk forward secrecy implementeren in plaats van e-mail voor communicatie van persoon tot persoon. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Welke e-mailclients ondersteunen E2EE? -E-mailproviders die je in staat stellen standaard toegangsprotocollen zoals IMAP en SMTP te gebruiken, kunnen worden gebruikt met elk van de [e-mailclients die wij aanbevelen](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +E-mailproviders die je in staat stellen standaard toegangsprotocollen zoals IMAP en SMTP te gebruiken, kunnen worden gebruikt met elk van de [e-mailclients die wij aanbevelen](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Hoe bescherm ik mijn private sleutels? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Overzicht e-mailmetagegevens -E-mail metadata wordt opgeslagen in de [message header](https://en.wikipedia.org/wiki/Email#Message_header) van het e-mailbericht en omvat een aantal zichtbare headers die je wellicht hebt gezien, zoals: `Aan`, `Van`, `Cc`, `Datum`, `Onderwerp`. Veel e-mailclients en -providers hebben ook een aantal verborgen headers die informatie over jouw account kunnen onthullen. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Veel e-mailclients en -providers hebben ook een aantal verborgen headers die informatie over jouw account kunnen onthullen. Client-software kan metagegevens over e-mail gebruiken om aan te geven van wie een bericht afkomstig is en hoe laat het werd ontvangen. Servers kunnen het gebruiken om te bepalen waar een e-mailbericht naartoe moet worden gestuurd, naast [andere doeleinden](https://en.wikipedia.org/wiki/Email#Message_header) die niet altijd transparant zijn. ### Wie kan e-mailmetagegevens bekijken? -E-mail metadata wordt beschermd tegen externe waarnemers met [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), maar kan nog steeds worden gezien door jouw e-mail client software (of webmail) en alle servers die het bericht van je doorsturen naar alle ontvangers, inclusief jouw e-mail provider. Soms maken e-mailservers ook gebruik van diensten van derden ter bescherming tegen spam, die over het algemeen ook toegang hebben tot jouw berichten. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Soms maken e-mailservers ook gebruik van diensten van derden ter bescherming tegen spam, die over het algemeen ook toegang hebben tot jouw berichten. ### Waarom kan metadata niet E2EE zijn? -E-mail metadata is van cruciaal belang voor de meest elementaire functionaliteit van e-mail (waar het vandaan komt, en waar het naartoe moet). E2EE was oorspronkelijk niet in de e-mailprotocollen ingebouwd; in plaats daarvan was extra software zoals OpenPGP nodig. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +E-mail metadata is van cruciaal belang voor de meest elementaire functionaliteit van e-mail (waar het vandaan komt, en waar het naartoe moet). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/nl/email-aliasing.md b/i18n/nl/email-aliasing.md index bc73aeb2..23dd12fb 100644 --- a/i18n/nl/email-aliasing.md +++ b/i18n/nl/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Aanbevolen Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/nl/email-clients.md b/i18n/nl/email-clients.md index 137bcb1c..2c49e447 100644 --- a/i18n/nl/email-clients.md +++ b/i18n/nl/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Dienstverleners](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Gerichte aanvallen](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/nl/email.md b/i18n/nl/email.md index ed00b3da..927080dd 100644 --- a/i18n/nl/email.md +++ b/i18n/nl/email.md @@ -22,19 +22,19 @@ E-mail is bijna een noodzaak voor het gebruik van elke online dienst, maar wij r Voor al het andere raden wij verschillende e-mailproviders aan op basis van duurzame bedrijfsmodellen en ingebouwde beveiligings- en privacyfuncties. Lees onze [volledige lijst met criteria](#criteria) voor meer informatie. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Contant | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Contant | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Contant | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Contant | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP compatibele diensten -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Een Proton Mail-gebruiker zou bijvoorbeeld een E2EE-bericht kunnen sturen naar een Mailbox.org-gebruiker, of je zou OpenPGP-versleutelde meldingen kunnen ontvangen van internetdiensten die dit ondersteunen. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Een Proton Mail-gebruiker zou bijvoorbeeld een E2EE-bericht kunnen sturen naar een Mailbox.org-gebruiker, of je zou OpenPGP-versleutelde meldingen kunnen ontvangen van internetdiensten die dit ondersteunen.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is een e-maildienst met focus op privacy, encryptie, veiligheid en gebruiksgemak. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is een e-maildienst met focus op privacy, encryptie, veiligheid en gebruiksgemak. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Gratis accounts hebben enkele beperkingen, zoals het niet kunnen doorzoeken van bodytekst en geen toegang tot [Proton Mail Bridge](https://proton.me/mail/bridge), die nodig is om een [aanbevolen desktop e-mailclient](email-clients.md) (bv. Thunderbird) te gebruiken. Betaalde accounts bevatten functies zoals Proton Mail Bridge, extra opslagruimte en ondersteuning voor aangepaste domeinen. Een [attestatiebrief](https://proton.me/blog/security-audit-all-proton-apps) werd op 9 november 2021 verstrekt voor de apps van Proton Mail door [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Betaalde accounts bevatten functies zoals Proton Mail Bridge, extra opslagruimte en ondersteuning voor aangepaste domeinen. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +Een [attestatiebrief](https://proton.me/blog/security-audit-all-proton-apps) werd op 9 november 2021 verstrekt voor de apps van Proton Mail door [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Betaalde Proton Mail abonnees kunnen hun eigen domein met de dienst gebruiken of #### :material-check:{ .pg-green } Privé betaalmethoden -Proton Mail [accepteert](https://proton.me/support/payment-options) contant geld per post, naast standaard creditcard/debetkaart, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), en PayPal-betalingen. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Accountbeveiliging @@ -109,7 +113,7 @@ Bepaalde informatie opgeslagen in [Proton Contacts](https://proton.me/support/pr Proton Mail heeft [OpenPGP encryptie](https://proton.me/support/how-to-use-pgp) geïntegreerd in hun webmail. E-mails naar andere Proton Mail-accounts worden automatisch versleuteld, en versleuteling naar niet-Proton Mail-adressen met een OpenPGP-sleutel kan eenvoudig worden ingeschakeld in je accountinstellingen. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. Hierdoor kunnen mensen die geen Proton Mail gebruiken de OpenPGP sleutels van Proton Mail accounts gemakkelijk vinden, voor cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Beëindiging van account @@ -117,9 +121,7 @@ Als je een betaald account hebt en je na 14 dagen [niet je rekening hebt betaald #### :material-information-outline:{ .pg-blue } Aanvullende functionaliteit -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail heeft geen digitale erfenis functie. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail heeft geen digitale erfenis functie. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is een e-maildienst gericht op veiligheid, is reclamevrij en wordt 100% mogelijk gemaakt door milieuvriendelijke energie. Ze zijn sinds 2014 in bedrijf. Mailbox.org is gevestigd in Berlijn, Duitsland. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Ze zijn sinds 2014 in bedrijf. Mailbox.org is gevestigd in Berlijn, Duitsland. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Privé betaalmethoden -Mailbox.org accepteert geen Bitcoin of andere cryptocurrencies als gevolg van het feit dat hun betalingsverwerker BitPay zijn activiteiten in Duitsland heeft opgeschort. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org accepteert geen Bitcoin of andere cryptocurrencies als gevolg van het feit dat hun betalingsverwerker BitPay zijn activiteiten in Duitsland heeft opgeschort. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Accountbeveiliging -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Webstandaarden zoals [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) worden nog niet ondersteund. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Gegevensbeveiliging Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Nieuwe berichten die je ontvangt, worden dan onmiddellijk versleuteld met jouw openbare sleutel. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. Een [standalone optie](calendar.md) kan geschikter zijn voor die informatie. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email encryptie Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. Deze functie is nuttig wanneer de ontvanger op afstand geen OpenPGP heeft en geen kopie van de e-mail in zijn eigen mailbox kan ontsleutelen. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Hierdoor kunnen mensen buiten Mailbox.org gemakkelijk de OpenPGP sleutels van Mailbox.org accounts vinden, voor cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Beëindiging van account @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org ondersteunt ook [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) naast standaard toegangsprotocollen zoals IMAP en POP3. -Mailbox.org heeft een digitale nalatenschap functie voor alle abonnementen. Je kunt kiezen of je wilt dat jouw gegevens worden doorgegeven aan jouw erfgenamen, mits zij een aanvraag indienen en jouw testament overleggen. Je kunt ook een persoon nomineren met naam en adres. +Mailbox.org heeft een digitale nalatenschap functie voor alle abonnementen. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Je kunt ook een persoon nomineren met naam en adres. ## Meer providers @@ -195,7 +199,9 @@ Deze providers slaan je e-mails op met zero-knowledge encryptie, waardoor ze gew ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Privé betaalmethodes -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Accountbeveiliging @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Gegevensbeveiliging -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Dit betekent dat de berichten en andere gegevens die in jouw account zijn opgeslagen, alleen door je kunnen worden gelezen. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Dit betekent dat de berichten en andere gegevens die in jouw account zijn opgeslagen, alleen door je kunnen worden gelezen. #### :material-information-outline:{ .pg-blue } Email Encryptie @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Onze criteria Gevorderde systeembeheerders kunnen overwegen hun eigen e-mailserver op te zetten. Mailservers vereisen aandacht en voortdurend onderhoud om de zaken veilig te houden en de mailbezorging betrouwbaar. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Wij beschouwen deze kenmerken als belangrijk om een veilige en optimale dienst t **Minimum om in aanmerking te komen:** -- Versleutelt e-mail accountgegevens in rust met zero-access encryptie. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Werkt op eigen infrastructuur, d.w.z. niet gebaseerd op e-mail service providers van derden. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Aangepaste domeinnamen zijn belangrijk voor gebruikers omdat ze zo hun agentschap van de dienst kunnen behouden, mocht het slecht aflopen of overgenomen worden door een ander bedrijf dat privacy niet hoog in het vaandel heeft staan. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Beste geval:** -- Versleutelt alle accountgegevens (Contacten, Agenda's, etc) in rust met zero-access encryptie. -- Geïntegreerde webmail E2EE/PGP-codering voor het gemak. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG-gebruikers kunnen een sleutel krijgen door te typen: `gpg --locate-key example_user@example.com` -- Ondersteuning voor een tijdelijke mailbox voor externe gebruikers. Dit is handig wanneer je een versleutelde e-mail wilt verzenden, zonder een echte kopie naar jouw ontvanger te sturen. Deze e-mails hebben meestal een beperkte levensduur en worden daarna automatisch verwijderd. Zij vereisen ook niet dat de ontvanger cryptografie configureert zoals OpenPGP. -- Beschikbaarheid van de diensten van de e-mailprovider via een [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Aangepaste domeinnamen zijn belangrijk voor gebruikers omdat ze zo hun agentschap van de dienst kunnen behouden, mocht het slecht aflopen of overgenomen worden door een ander bedrijf dat privacy niet hoog in het vaandel heeft staan. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Ondersteuning voor een tijdelijke mailbox voor externe gebruikers. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Deze e-mails hebben meestal een beperkte levensduur en worden daarna automatisch verwijderd. Zij vereisen ook niet dat de ontvanger cryptografie configureert zoals OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Aangepaste domeinnamen zijn belangrijk voor gebruikers omdat ze zo hun agentschap van de dienst kunnen behouden, mocht het slecht aflopen of overgenomen worden door een ander bedrijf dat privacy niet hoog in het vaandel heeft staan. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ Wij geven er de voorkeur aan dat de door ons aanbevolen aanbieders zo weinig mog **Minimum om in aanmerking te komen:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Vereisen geen persoonlijk identificeerbare informatie (PII) naast een gebruikersnaam en een wachtwoord. -- Privacybeleid dat voldoet aan de vereisten van de GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Beste geval:** -- Accepteert [anonieme betalingsopties](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), contant geld, cadeaukaarten, etc.) -- Gehost in een jurisdictie met sterke wetgeving ter bescherming van de privacy van e-mails. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Veiligheid -Email servers verwerken veel zeer gevoelige gegevens. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum om in aanmerking te komen:** -- Bescherming van webmail met 2FA, zoals TOTP. -- Zero access encryption, which builds on encryption at rest. De provider heeft geen decryptiesleutels voor de gegevens die ze hebben. Dit voorkomt dat een malafide werknemer gegevens lekt waartoe hij toegang heeft, of dat een tegenstander op afstand gegevens vrijgeeft die hij heeft gestolen door ongeoorloofde toegang tot de server te verkrijgen. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. De provider heeft geen decryptiesleutels voor de gegevens die ze hebben. Dit voorkomt dat een malafide werknemer gegevens lekt waartoe hij toegang heeft, of dat een tegenstander op afstand gegevens vrijgeeft die hij heeft gestolen door ongeoorloofde toegang tot de server te verkrijgen. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) ondersteuning. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Een geldig [MTA-STS](https://tools.ietf.org/html/rfc8461) en [TLS-RPT](https://tools.ietf.org/html/rfc8460) beleid. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Geldig [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. - Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Zorg voor een correct [DMARC](https://en.wikipedia.org/wiki/DMARC) record en beleid of gebruik [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) voor verificatie. Als DMARC-authenticatie wordt gebruikt, moet het beleid worden ingesteld op `reject` of `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Als DMARC-authenticatie wordt gebruikt, moet het beleid worden ingesteld op `reject` of `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) indiening, ervan uitgaande dat SMTP wordt gebruikt. - Beveiligingsnormen voor websites, zoals: @@ -370,10 +375,10 @@ Email servers verwerken veel zeer gevoelige gegevens. We expect that providers w **Beste geval:** -- Ondersteuning voor hardware-authenticatie, d.w.z. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certificatie Autoriteit Autorisatie (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in aanvulling op DANE ondersteuning. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Gepubliceerde veiligheidscontroles van een gerenommeerde derde partij. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Programma's voor bug-bounty's en/of een gecoördineerd proces voor de openbaarmaking van kwetsbaarheden. - Beveiligingsnormen voor websites, zoals: - [Inhoud beveiligingsbeleid (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Email servers verwerken veel zeer gevoelige gegevens. We expect that providers w ### Vertrouwen -Je zou je financiën niet toevertrouwen aan iemand met een valse identiteit, dus waarom zou je hen je e-mail toevertrouwen? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. **Minimum om in aanmerking te komen:** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum om in aanmerking te komen:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims van "onbreekbare encryptie." Encryptie moet worden gebruikt met de bedoeling dat zij in de toekomst niet meer geheim is wanneer de technologie bestaat om haar te kraken. -- Garanties van 100% bescherming van de anonimiteit. Wanneer iemand beweert dat iets 100% is, betekent dit dat er geen zekerheid is voor mislukking. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Beste geval:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Extra functionaliteit -Hoewel het geen strikte vereisten zijn, zijn er nog enkele andere factoren met betrekking tot gemak of privacy die wij in aanmerking hebben genomen bij het bepalen van de aan te bevelen providers. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/nl/os/android-overview.md b/i18n/nl/os/android-overview.md index 7dc0a8e5..59f39388 100644 --- a/i18n/nl/os/android-overview.md +++ b/i18n/nl/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr Het geavanceerde beschermingsprogramma biedt verbeterde controle op bedreigingen en maakt het mogelijk: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Alleen Google en geverifieerde apps van derden hebben toegang tot accountgegevens - Scannen van inkomende e-mails op Gmail-accounts voor [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) pogingen - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ Als je een EOL-apparaat hebt dat met Android 10 of hoger wordt geleverd en geen All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Schakel deze functie uit om de over je verzamelde gegevens te beperken. -Op Android distributies met [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), ga naar :gear: **Instellingen** → **Apps** → **Sandboxed Google Play** → **Google Instellingen** → **Advertenties**, en selecteer *Verwijder reclame ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/pl/basics/account-creation.md b/i18n/pl/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/pl/basics/account-creation.md +++ b/i18n/pl/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/pl/basics/email-security.md b/i18n/pl/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/pl/basics/email-security.md +++ b/i18n/pl/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/pl/email-aliasing.md b/i18n/pl/email-aliasing.md index bc73aeb2..4873dc17 100644 --- a/i18n/pl/email-aliasing.md +++ b/i18n/pl/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Rekomendowani dostawcy
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/pl/email-clients.md b/i18n/pl/email-clients.md index 069f84b1..c6c7fc7a 100644 --- a/i18n/pl/email-clients.md +++ b/i18n/pl/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/pl/email.md b/i18n/pl/email.md index 10742946..475caab8 100644 --- a/i18n/pl/email.md +++ b/i18n/pl/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/pl/os/android-overview.md b/i18n/pl/os/android-overview.md index a92a1376..92bbab7e 100644 --- a/i18n/pl/os/android-overview.md +++ b/i18n/pl/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/pt-BR/basics/account-creation.md b/i18n/pt-BR/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/pt-BR/basics/account-creation.md +++ b/i18n/pt-BR/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/pt-BR/basics/email-security.md b/i18n/pt-BR/basics/email-security.md index 8cf04864..b04fe867 100644 --- a/i18n/pt-BR/basics/email-security.md +++ b/i18n/pt-BR/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Visão Geral da Criptografia de Email -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Quais Clientes de Email Suportam E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Como Protejo Minhas Chaves Privadas? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Visão Geral dos Metadados de Email -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Quem Pode Ver Metadados de Email? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Por Que os Metadados Não Podem Ser E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/pt-BR/email-aliasing.md b/i18n/pt-BR/email-aliasing.md index bc73aeb2..90fcbccd 100644 --- a/i18n/pt-BR/email-aliasing.md +++ b/i18n/pt-BR/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Provedores Recomendados
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/pt-BR/email-clients.md b/i18n/pt-BR/email-clients.md index 8267da05..de9b439a 100644 --- a/i18n/pt-BR/email-clients.md +++ b/i18n/pt-BR/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Ataques Direcionados](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/pt-BR/email.md b/i18n/pt-BR/email.md index 4742b94a..a6d68f7c 100644 --- a/i18n/pt-BR/email.md +++ b/i18n/pt-BR/email.md @@ -22,19 +22,19 @@ O "email" é praticamente uma necessidade para usar qualquer serviço “online Para qualquer outra coisa, recomendamos uma variedade de provedores de email baseados em modelos de negócio sustentáveis e recursos de segurança e privacidade incorporados. Leia nossa [lista completa de requisitos](#criteria) para mais informações. -| Provedor | OpenPGP / WKD | IMAP / SMTP | Criptografia de Acesso Zero | Pagamentos anônimos | -| --------------------------- | -------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------ | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Planos pagos apenas | :material-check:{ .pg-green } | Dinheiro | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail apenas | Dinheiro | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provedor | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Planos pagos apenas | :material-check:{ .pg-green } | Dinheiro | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail apenas | Dinheiro | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -Além de (ou ao invés de) um provedor de e-mail recomendado aqui, você pode considerar um serviço de aliasing [e-mail dedicado](email-aliasing.md) para proteger sua privacidade. Entre outras coisas, esses serviços podem ajudar a proteger sua caixa de entrada real contra spam, impedir que marketeiros correlacionem suas contas, e criptografia de todas as mensagens recebidas com PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Entre outras coisas, esses serviços podem ajudar a proteger sua caixa de entrada real contra spam, impedir que marketeiros correlacionem suas contas, e criptografia de todas as mensagens recebidas com PGP. - [Saiba mais :material-arrow-right-drop-circle:](email-aliasing.md) ## Serviços Compatíveis com OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Por exemplo, um usuário do Proton Mail pode mandar uma mensagem E2E para um usuário de Mailbox.org, ou você pode receber notificações criptografadas por OpenPGP de serviços de internet que suportam isso. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Por exemplo, um usuário do Proton Mail pode mandar uma mensagem E2E para um usuário de Mailbox.org, ou você pode receber notificações criptografadas por OpenPGP de serviços de internet que suportam isso.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Ao usar a tecnologia E2EE, como o OpenPGP, seu e-mail ainda terá alguns metadados que não são criptografados no cabeçalho do e-mail, geralmente incluindo a linha de assunto! Leia mais sobre [metadados de e-mail](basics/email-security.md#email-metadata-overview). -OpenPGP também não suporta Encaminhamento Sigiloso, isso significa que se a sua chave ou a do destinatário é alguma vez roubada, todas as mensagens anteriores encriptadas com essa chave serão expostas. [Como eu protejo minhas chaves privadas?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP também não suporta Encaminhamento Sigiloso, isso significa que se a su ![logo do Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** é um serviço de email com foco na privacidade, criptografia, segurança, e facilidade de uso. Eles estão operando desde 2013. A Proton AG está sedeada em Genebra, na Suíça. O plano gratuito da Proton Mail eletrônico tem 500 MB de armazenamento com a possibilidade de expansão até 1 GB +**Proton Mail** é um serviço de email com foco na privacidade, criptografia, segurança, e facilidade de uso. Eles estão operando desde 2013. A Proton AG está sedeada em Genebra, na Suíça. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Página inicial](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Serviço Onion" } @@ -81,9 +85,9 @@ OpenPGP também não suporta Encaminhamento Sigiloso, isso significa que se a su -Contas gratuitas têm algumas limitações, como não poderem pesquisar no corpo de texto e não ter acesso à [Ponte Proton Mail](https://proton.me/mail/bridge), o que é requerido para usar um [cliente de email desktop recomendado](email-clients.md) (ex. Thunderbird). Contas pagas incluem funcionalidades como a Ponte Proton Mail, mais armazenamento, e suporte para domínios customizados. Um [certificado de segurança](https://proton.me/blog/security-audit-all-proton-apps) foi concedido para os aplicativos do Proton Mail em 9 de Novembro de 2021 pela [Securitium](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Contas pagas incluem funcionalidades como a Ponte Proton Mail, mais armazenamento, e suporte para domínios customizados. Se você tem o Proton Unlimited, Bussiness, ou Visionary Plan, você também ganha o [SimpleLogin](#simplelogin) Premium de graça. -Se você tem o Proton Unlimited, Bussiness, ou Visionary Plan, você também ganha o [SimpleLogin](#simplelogin) Premium de graça. +Um [certificado de segurança](https://proton.me/blog/security-audit-all-proton-apps) foi concedido para os aplicativos do Proton Mail em 9 de Novembro de 2021 pela [Securitium](https://research.securitum.com). O Proton Mail tem relatórios internos de travamento que eles **não** compartilham com terceiros. Isso pode ser desativado no aplicativo Web: :gear: → **Todas as configurações** → **Conta** → **Segurança e privacidade** → **Privacidade e coleta de dados**. @@ -93,7 +97,7 @@ Assinantes pagos do Proton Mail podem usar seu próprio domínio com o serviço #### :material-check:{ .pg-green } Métodos de Pagamento Privados -Proton Mail [aceita](https://proton.me/support/payment-options) dinheiro por correio, para além dos pagamentos normais com cartão de crédito/débito, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) e PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Segurança da Conta @@ -109,7 +113,7 @@ Certas informações armazenadas no [Proton Contacts](https://proton.me/support/ Proton Mail [tem criptografia OpenPGP integrada](https://proton.me/support/how-to-use-pgp) em seu webmail. E-mails para outras contas do Proton Mail são criptografados automaticamente, e criptografia para endereços não-Proton Mail com uma chave OpenPGP pode ser facilmente ativada nas configurações da sua conta. Proton also supports automatic external key discovery with WKD. Isso significa que os e-mails enviados a outros provedores que usam o WKD também serão criptografados automaticamente com o OpenPGP, sem a necessidade de trocar manualmente chaves PGP públicas com seus contatos. Eles também permitem que você [criptografe mensagens para endereços não-Proton Mail](https://proton.me/support/password-protected-emails) sem a necessidade de eles se cadastrarem com uma conta Proton Mail ou usar programas como OpenPGP. -O Proton Mail também publica as chaves públicas das contas Proton via HTTP a partir de seu WKD. Isso permite que as pessoas que não usam o Proton Mail encontrem as chaves OpenPGP de contas Proton Mail facilmente, para criptografia ponta-a-ponta (E2EE) entre provedores. Isso só se aplica aos endereços de e-mail que terminam em um dos domínios da própria ProtonMail, como @proton.me. Se você usar um domínio personalizado, deverá [configurar o WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separadamente. +O Proton Mail também publica as chaves públicas das contas Proton via HTTP a partir de seu WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Rescisão da Conta @@ -117,9 +121,7 @@ Se você tiver uma conta paga e sua conta [não for paga](https://proton.me/supp #### :material-information-outline:{ .pg-blue } Funcionalidades Adicionais -O plano [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) do Proton Mail também garante acesso a outros serviços da Proton, além de fornecer vários domínios personalizados, *aliases* (endereços de redirecionamento) ilimitados do tipo *hide-my-email* (camufle meu endereço de email) e 500 GB de armazenamento. - -O Proton Mail não oferece um recurso de legado digital. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ O Proton Mail não oferece um recurso de legado digital. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -O **Mailbox.org** é um serviço de e-mail que se concentra em ser seguro, livre de anúncios e alimentado de forma privada por energia 100% ecológica. Eles estão operando desde 2014. Mailbox.org é sediado em Berlim, Alemanha. As contas têm a o armazenamento de 2GB em seu plano inicial, que pode ser atualizado se necessário. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Eles estão operando desde 2014. Mailbox.org é sediado em Berlim, Alemanha. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ O Mailbox.org permite que você use seu próprio domínio e oferece suporte a en #### :material-check:{ .pg-green } Métodos de Pagamento Privados -Mailbox.org não aceita nenhuma criptomoeda como resultado do seu processador de pagamentos BitPay ter suspendido as operações na Alemanha. No entanto, eles aceitam transações pelos correios, pagamento físico para bancos, transferências bancárias, transações via Papal e serviços financeiros específicos da Alemanha como Pandeireta e Sofortuberweisung. +Mailbox.org não aceita nenhuma criptomoeda como resultado do seu processador de pagamentos BitPay ter suspendido as operações na Alemanha. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Segurança da Conta -A Mailbox.org suporta autenticação em dois fatores [(2FA)](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) apenas para o webmail. Você pode usar o TOTP ou uma [YubiKey](https://en.wikipedia.org/wiki/YubiKey) por meio do [YubiCloud](https://yubico.com/products/services-software/yubicloud). Padrões da Web como [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ainda não são suportados. +A Mailbox.org suporta autenticação em dois fatores [(2FA)](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) apenas para o webmail. Você pode usar o TOTP ou uma [YubiKey](https://en.wikipedia.org/wiki/YubiKey) por meio do [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Segurança dos Dados Mailbox.org permite criptografia de e-mails recebidos usando sua [caixa de correio criptografada](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Novas mensagens que você receber serão imediatamente criptografadas com a sua chave pública. -No entanto, [o Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), a plataforma de software usada pelo Mailbox.org, [não oferece suporte à](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) criptografia do seu catálogo de endereços e calendário. Uma [opção autônoma](calendar.md) pode ser mais apropriada para essas informações. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Criptografia do Email Mailbox.org tem [criptografia integrada](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) em seu webmail, o que simplifica o envio de mensagens para pessoas com chaves OpenPGP públicas. Eles também permitem que [destinatários remotos descriptografem um e-mail](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) nos servidores do Mailbox.org. Esse recurso é útil quando o destinatário remoto não tem OpenPGP e não pode descriptografar uma cópia do e-mail em sua própria caixa de correio. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Isso permite que pessoas fora do Mailbox.org encontrem as chaves OpenPGP de contas Mailbox.org facilmente, para criptografia ponta-a-ponta (E2EE) entre provedores. Isso só se aplica aos endereços de e-mail que terminam em um dos domínios da própria Mailbox, como @mailbox.org. Se você usar um domínio personalizado, deverá [configurar o WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separadamente. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Rescisão da Conta @@ -176,7 +180,7 @@ Você pode acessar sua conta do Mailbox.org via IMAP/SMTP usando o [ serviço .o Todas as contas vêm com armazenamento limitado na nuvem que [pode ser criptografado](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org também oferece o pseudônimo [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), que impõe a criptografia TLS na conexão entre os servidores de email, caso contrário, a mensagem não será enviada. Mailbox.org também suporta [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync), além dos protocolos de acesso padrão como IMAP e POP3. -Mailbox.org tem um recurso de legado digital para todos os planos. Você pode escolher se quer que os seus dados sejam transmitidos aos seus herdeiros, desde que estes o solicitem e apresentem o seu testamento. Como alternativa, você pode nomear uma pessoa através do seu nome e endereço. +Mailbox.org tem um recurso de legado digital para todos os planos. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Como alternativa, você pode nomear uma pessoa através do seu nome e endereço. ## Mais Provedores @@ -195,7 +199,9 @@ Estes provedores armazenam os seus e-mails com criptografia de conhecimento zero ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (anteriormente *Tutanota*) é um serviço de e-mail com foco na segurança e privacidade por meio do uso de criptografia. Tutá está em funcionamento desde 2011 e está com sede em Hanover, Alemanha. Contas gratuitas com 1GB de armazenamento. +**Tuta** (anteriormente *Tutanota*) é um serviço de e-mail com foco na segurança e privacidade por meio do uso de criptografia. Tutá está em funcionamento desde 2011 e está com sede em Hanover, Alemanha. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Página inicial](https://firefox.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://mozilla.org/privacy/firefox){ .card-link title="Política de privacidade" } @@ -226,7 +232,7 @@ Contas pagas da Tuta podem usar 15 ou 30 pseudônimos, dependendo do plano, e ps #### :material-information-outline:{ .pg-blue } Métodos de Pagamento Privados -A Tuta só aceita diretamente cartões de crédito e PayPal, mas [criptomoedas](cryptocurrency.md) pode ser usada como método de pagamento para adquirir cartões-presente através de uma [parceria](https://tuta.com/support/#cryptocurrency) com a Proxystore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Segurança da Conta @@ -234,7 +240,7 @@ Também há suporte à [autenticação de dois fatores](https://tuta.com/suppor #### :material-check:{ .pg-green } Segurança dos Dados -O Tuta tem [criptografia de acesso zero em repouso](https://tuta.com/support#what-encrypted) para seus e-mails, [contatos do catálogo de endereços](https://tuta.com/support#encrypted-address-book) e [calendários](https://tuta.com/support#calendar). Isso significa que as mensagens e outros dados armazenados em sua conta só são legíveis por você. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Isso significa que as mensagens e outros dados armazenados em sua conta só são legíveis por você. #### :material-information-outline:{ .pg-blue } Criptografia do Email @@ -248,8 +254,6 @@ A Tuta excluirá [as contas gratuitas inativas](https://tuta.com/support#inactiv Tuta oferece a versão comercial do [Tuta para organizações sem fins lucrativos](https://tuta.com/blog/secure-email-for-non-profit) de graça ou com desconto. -O Tuta não oferece um recurso de legado digital. - ## Email Auto-Hospedado Administratores de sistema avançados podem considerar a possibilidade de configurar seu próprio servidor de e-mail. Os servidores de e-mail exigem atenção e manutenção contínua para manter a segurança e a confiabilidade da entrega de e-mails. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Consideramos esses recursos importantes para fornecer um serviço seguro e otimi **Mínimo Para Qualificação:** -- Criptografa os dados da conta de e-mail em repouso com criptografia de acesso zero. -- Função "Exportar como" para os formatos [Mbox](https://en.wikipedia.org/wiki/Mbox) ou arquivos .eml individuais no padrão [RFC5322](https://datatracker.ietf.org/doc/rfc5322). -- Opera em uma infraestrutura própria, ou seja, não é baseada em provedores de serviços de e-mail de terceiros. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Nomes de domínio personalizados são importantes para os usuários, porque lhes permite manter sua agência a partir do serviço. Deve piorar ou ser adquirido por outra empresa que não priorize a privacidade. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Melhor Caso:** -- Criptografa todos os dados da conta (contatos, calendários, etc.) em repouso com criptografia de acesso zero. -- Criptografia E2EE/PGP integrada de webmail fornecido como conveniência. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Usuários do GnuPG podem obter uma chave digitando: `gpg --locate-key example_user@example.com` -- Suporte para uma caixa de correio temporária para usuários externos. Isso é útil quando você deseja enviar um e-mail criptografado sem enviar uma cópia real para o seu destinatário. Estes e-mails geralmente têm um tempo de vida limitado e depois são automaticamente excluídos. Eles também não exigem que o destinatário configure nenhuma criptografia, como o OpenPGP. -- Disponibilidade do site do provedor de serviços de e-mail em um [serviço onion](https://en.wikipedia.org/wiki/.onion). -- Suporte a [subendereçamento](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Nomes de domínio personalizados são importantes para os usuários, porque lhes permite manter sua agência a partir do serviço. Deve piorar ou ser adquirido por outra empresa que não priorize a privacidade. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Suporte para uma caixa de correio temporária para usuários externos. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Estes e-mails geralmente têm um tempo de vida limitado e depois são automaticamente excluídos. Eles também não exigem que o destinatário configure nenhuma criptografia, como o OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Nomes de domínio personalizados são importantes para os usuários, porque lhes permite manter sua agência a partir do serviço. Deve piorar ou ser adquirido por outra empresa que não priorize a privacidade. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacidade @@ -337,30 +342,30 @@ Preferimos que nossos provedores recomendados coletem o mínimo possível de dad **Mínimo Para Qualificação:** -- Protege o endereço IP do remetente, o que pode envolver a filtragem de sua exibição no campo de cabeçalho `Received`. -- Não exige informações de identificação pessoal (PII) além de um nome de usuário e uma senha. -- Política de privacidade que atende aos requisitos definidos pelo GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Melhor Caso:** -- Aceita [opções de pagamento anônimas](advanced/payments.md) ([criptomoedas](cryptocurrency.md), dinheiro, cartões-presente, etc.) -- Hospedado em uma jurisdição com fortes leis de proteção de privacidade de e-mail. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Segurança -Os servidores de e-mail lidam com uma grande quantidade de dados muito confidenciais. Esperamos que os provedores adotem as melhores práticas do setor para proteger seus clientes. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Mínimo Para Qualificação:** -- Proteção do webmail com 2FA, como TOTP. -- Criptografia de acesso zero, que se baseia na criptografia em repouso. O provedor não tem as chaves de descriptografia dos dados que possui. Isso evita que um funcionário desonesto vaze os dados aos quais tem acesso ou que um adversário remoto libere os dados que roubou ao obter acesso não autorizado ao servidor. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. O provedor não tem as chaves de descriptografia dos dados que possui. Isso evita que um funcionário desonesto vaze os dados aos quais tem acesso ou que um adversário remoto libere os dados que roubou ao obter acesso não autorizado ao servidor. - Suporte a [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - Nenhum erro ou vulnerabilidade de TLS ao ser analisado por ferramentas como [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh) ou [Qualys SSL Labs](https://ssllabs.com/ssltest); isso inclui erros relacionados a certificados e parâmetros DH fracos, como os que levaram ao [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Uma preferência de suite de servidor (opcional em TLSv1.3) para suites de cifragem fortes que suportam encaminhamento de sigilo e criptografia autenticada. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Uma política válida de [MTA-STS](https://tools.ietf.org/html/rfc8461) e [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Registros [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) válidos. - Registros [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) válidos. -- Tenha um registro e uma política [DMARC](https://en.wikipedia.org/wiki/DMARC) adequados ou use o [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) para autenticação. Se a autenticação DMARC estiver sendo usada, a política deve ser definida como `rejeitar` ou `em quarentena`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Se a autenticação DMARC estiver sendo usada, a política deve ser definida como `rejeitar` ou `em quarentena`. - Uma preferência de suíte de servidor de TLS 1.2 ou posterior e um plano para [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - Envio [SMTPS](https://en.wikipedia.org/wiki/SMTPS), assumindo que o SMTP seja usado. - Padrões de segurança do site, como: @@ -370,10 +375,10 @@ Os servidores de e-mail lidam com uma grande quantidade de dados muito confidenc **Melhor Caso:** -- Suporte para autenticação de hardware, isto é. U2F e [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F e [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [Registro de recurso de autorização de autoridade de certificação (CAA) do DNS](https://tools.ietf.org/html/rfc6844), além do suporte a DANE. -- Implementação do [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), que é útil para pessoas que postam em listas de discussão [RFC8617](https://tools.ietf.org/html/rfc8617). -- Auditorias de segurança publicadas por uma empresa terceirizada de boa reputação. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Programas de recompensa por bugs e/ou um processo coordenado de divulgação de vulnerabilidades. - Padrões de segurança do site, tais como: - [Política de segurança de conteúdo (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,36 +386,33 @@ Os servidores de e-mail lidam com uma grande quantidade de dados muito confidenc ### Confiança -Você não confiaria suas finanças a alguém com uma identidade falsa, então por que confiar seu e-mail a essa pessoa? Exigimos que nossos provedores recomendados sejam transparentes quanto a seus proprietários ou lideranças. Também esperamos ver relatórios de transparência frequentes, especialmente com relação à forma como as solicitações do governo são tratadas. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Exigimos que nossos provedores recomendados sejam transparentes quanto a seus proprietários ou lideranças. Também esperamos ver relatórios de transparência frequentes, especialmente com relação à forma como as solicitações do governo são tratadas. **Mínimo Para Qualificação:** - Liderança ou propriedade voltada para o público. -**Cenário ideal:** +**Melhor Caso:** - Relatórios de transparência frequentes. ### Marketing -Com os provedores de e-mail que recomendamos, gostamos de ver um marketing responsável. +With the email providers we recommend, we like to see responsible marketing. -**Mínimo para Qualificação:** +**Mínimo Para Qualificação:** -- Precisa precis ter um serviço de auto-hospedagem de seus dados estatísticos (sem Google Analytics, Adobe Analytics, etc. ). - -Não deve haver qualquer marketing irresponsável, o que pode incluir o seguinte: - -- Alegações de "criptografia inquebrável" A criptografia deve ser utilizada com a intenção de não ser secreta no futuro quando a tecnologia para quebra-lá existir. -- Garantir 100% de proteção ao anonimato. Quando alguém afirma que algo é 100%, significa que não há certeza de fracasso. Sabemos que as pessoas podem facilmente se desanonimizar de várias maneiras, por exemplo: - - - Reutilização de informações pessoais, por exemplo, (contas de e-mail, pseudônimos exclusivos etc.) que eles acessaram sem software de anonimato (Tor, I2P, VPN etc.) - - [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Melhor Caso:** -- Limpar e ler facilmente a documentação de tarefas como a configuração do 2FA, clientes de e-mail, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Funções Adicionais -Embora não sejam requisitos estritos, há outros fatores de conveniência ou privacidade que analisamos ao determinar quais provedores recomendar. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/pt-BR/os/android-overview.md b/i18n/pt-BR/os/android-overview.md index 5633a3d6..7fa0f8ce 100644 --- a/i18n/pt-BR/os/android-overview.md +++ b/i18n/pt-BR/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/pt/basics/account-creation.md b/i18n/pt/basics/account-creation.md index 319d445d..b3602e40 100644 --- a/i18n/pt/basics/account-creation.md +++ b/i18n/pt/basics/account-creation.md @@ -42,7 +42,7 @@ Será responsável pela gestão das suas credenciais de início de sessão. Para #### Aliases de correio eletrónico -Se não quiser fornecer o seu verdadeiro endereço de correio eletrónico a um serviço, tem a opção de utilizar um pseudónimo. Descrevemos los com mais pormenor na nossa página de recomendações de serviços de correio eletrónico. Essencialmente, os serviços de alias permitem-lhe gerar novos endereços de correio eletrónico que reencaminham todas as mensagens para o seu endereço principal. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Estes podem ser filtrados automaticamente com base no pseudónimo para o qual são enviados. +Se não quiser fornecer o seu verdadeiro endereço de correio eletrónico a um serviço, tem a opção de utilizar um pseudónimo. We describe them in more detail on our email services recommendation page. Essencialmente, os serviços de alias permitem-lhe gerar novos endereços de correio eletrónico que reencaminham todas as mensagens para o seu endereço principal. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Estes podem ser filtrados automaticamente com base no pseudónimo para o qual são enviados. Se um serviço for comprometido, pode começar a receber mensagens eletrónicas de phishing ou spam no endereço que utilizou para se registar. A utilização de aliases únicos para cada serviço pode ajudar a identificar exatamente qual o serviço comprometido. @@ -50,19 +50,19 @@ Se um serviço for comprometido, pode começar a receber mensagens eletrónicas ### "Iniciar a sessão com..." (OAuth) -A OAuth é um protocolo de autenticação que permite registar-se num serviço sem partilhar muitas informações com o fornecedor do serviço, se for caso disso, utilizando uma conta existente noutro serviço. Sempre que vir algo como "Inicie sessão com o nome do fornecedor **" num formulário de registo, normalmente utiliza o OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Sempre que vir algo como "Inicie sessão com o nome do fornecedor **" num formulário de registo, normalmente utiliza o OAuth. Quando iniciar sessão com o OAuth, será aberta uma página de início de sessão com o fornecedor que escolher, e a sua conta existente e a nova conta serão ligadas. A sua palavra-passe não será partilhada, mas algumas informações básicas serão normalmente partilhadas (pode revê-las durante o pedido de início de sessão). Este processo é necessário sempre que se pretende iniciar sessão na mesma conta. As principais vantagens são: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Facilidade de utilização**: várias contas são geridas por um único início de sessão. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Mas há desvantagens: -- **Privacidade**: o fornecedor OAuth com o qual inicia sessão conhecerá os serviços que utiliza. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. A nossa recomendação é limitar a utilização do OAuth apenas onde for necessário e proteger sempre a conta principal com [MFA](multi-factor-authentication.md). diff --git a/i18n/pt/basics/email-security.md b/i18n/pt/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/pt/basics/email-security.md +++ b/i18n/pt/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/pt/email-aliasing.md b/i18n/pt/email-aliasing.md index 5e4115cc..524200da 100644 --- a/i18n/pt/email-aliasing.md +++ b/i18n/pt/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Provedores recomendados
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Framadate -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/pt/email-clients.md b/i18n/pt/email-clients.md index 63d7819c..aa594c0e 100644 --- a/i18n/pt/email-clients.md +++ b/i18n/pt/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Fornecedores de serviços](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Ataques direcionados](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/pt/email.md b/i18n/pt/email.md index ee8c6404..fb42ae21 100644 --- a/i18n/pt/email.md +++ b/i18n/pt/email.md @@ -22,19 +22,19 @@ O correio eletrónico é praticamente uma necessidade para subscrever qualquer s Para tudo o resto, recomendamos uma variedade de fornecedores de e-mail baseados em modelos de negócio sustentáveis e que incorporem funcionalidades de segurança e de privacidade. Para mais informações, consulte a lista completa de critérios [](#criteria). -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Dinheiro | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Dinheiro | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Dinheiro | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Dinheiro | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## Serviços Compatíveis com OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Por exemplo, um utilizador do Proton Mail pode enviar uma mensagem E2EE a um utilizador do Mailbox.org, ou pode receber notificações encriptadas em OpenPGP de serviços Internet que o suportem. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Por exemplo, um utilizador do Proton Mail pode enviar uma mensagem E2EE a um utilizador do Mailbox.org, ou pode receber notificações encriptadas em OpenPGP de serviços Internet que o suportem.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Logótipo Proton Mail](assets/img/email/protonmail.svg){ align=right } -O **Proton Mail** é um serviço de e-mail que privilegia a privacidade, a encriptação, a segurança e a facilidade de utilização. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +O **Proton Mail** é um serviço de e-mail que privilegia a privacidade, a encriptação, a segurança e a facilidade de utilização. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ O **Proton Mail** é um serviço de e-mail que privilegia a privacidade, a encri -As contas gratuitas têm algumas limitações, tais como a impossibilidade de pesquisar o corpo do texto e o facto de não terem acesso ao [Proton Mail Bridge](https://proton.me/mail/bridge), que é necessário para utilizar um [cliente recomendado de e-mail para PC](email-clients.md) (por exemplo, Thunderbird). As contas pagas incluem funcionalidades como o Proton Mail Bridge, armazenamento adicional e suporte para domínios personalizados. A [Securitum](https://research.securitum.com) [certificou](https://proton.me/blog/security-audit-all-proton-apps) as aplicações do Proton Mail, em 9 de novembro de 2021. +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). As contas pagas incluem funcionalidades como o Proton Mail Bridge, armazenamento adicional e suporte para domínios personalizados. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [Securitum](https://research.securitum.com) [certificou](https://proton.me/blog/security-audit-all-proton-apps) as aplicações do Proton Mail, em 9 de novembro de 2021. Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Os subscritores do Proton Mail podem utilizar o seu próprio domínio com o serv #### :material-check:{ .pg-green } Métodos de pagamento privados -O Proton Mail [aceita](https://proton.me/support/payment-options) dinheiro por correio, para além dos pagamentos normais com cartão de crédito/débito, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) e PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Segurança da conta @@ -109,7 +113,7 @@ Certas informações armazenadas em [Proton Contactos](https://proton.me/support O Proton Mail tem [encriptação OpenPGP integrada](https://proton.me/support/how-to-use-pgp) no seu webmail. Os e-mails para outras contas do Proton Mail são encriptados automaticamente e a encriptação para endereços que não sejam do Proton Mail com uma chave OpenPGP pode ser ativada facilmente nas definições da sua conta. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. Isto permite que as pessoas que não utilizam o Proton Mail encontrem facilmente as chaves OpenPGP das contas do Proton Mail, para E2EE entre fornecedores. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Remoção da conta @@ -117,17 +121,17 @@ Se tiver uma conta paga e passarem 14 dias da data de pagamento [sem que seja pa #### :material-information-outline:{ .pg-blue } Funcionalidade adicional -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -O Proton Mail não oferece funcionalidade de legado digital. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Logótipo Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** é um serviço de e-mail cujo foco é a segurança. Não apresenta nenhum tipo de publicidade e o seu consumo de energia é garantido de forma privada por energia 100% ecológica. Estão em funcionamento desde 2014. A Mailbox.org está sediada em Berlim, na Alemanha. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Estão em funcionamento desde 2014. A Mailbox.org está sediada em Berlim, na Alemanha. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Métodos de pagamento privados -O Mailbox.org não aceita quaisquer criptomoedas devido ao facto do seu processador de pagamentos BitPay ter suspendido as operações na Alemanha. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +O Mailbox.org não aceita quaisquer criptomoedas devido ao facto do seu processador de pagamentos BitPay ter suspendido as operações na Alemanha. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Segurança da conta -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Normas Web como a [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ainda não são suportadas. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Segurança dos dados Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). As novas mensagens recebidas serão imediatamente encriptadas com a sua chave pública. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. Uma opção standalone [](calendar.md) pode ser mais adequada para salvaguardar a segurança dessa informação. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Encriptação de e-mail Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. Esta funcionalidade é útil quando o destinatário remoto não tem o OpenPGP e não consegue desencriptar uma cópia do e-mail na sua própria caixa de correio. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Isto permite que pessoas que não utilizem o Mailbox.org encontrem facilmente as chaves OpenPGP das contas Mailbox.org, para E2EE entre fornecedores. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Remoção da conta @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. O Mailbox.org também suporta [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync), para além dos protocolos de acesso padrão como IMAP e POP3. -O Mailbox.org tem uma funcionalidade de legado digital para todos os planos. Pode escolher se quer que os seus dados sejam transmitidos aos seus herdeiros, desde que estes o solicitem e apresentem o seu testamento. Em alternativa, pode nomear uma pessoa, fornecendo o seu nome e endereço. +O Mailbox.org tem uma funcionalidade de legado digital para todos os planos. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Em alternativa, pode nomear uma pessoa, fornecendo o seu nome e endereço. ## Mais Fornecedores @@ -195,7 +199,9 @@ Estes fornecedores armazenam as suas mensagens eletrónicas com encriptação de ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Métodos de pagamento privados -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Segurança da Conta @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Segurança dos Dados -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Isto significa que as mensagens e outros dados armazenados na sua conta só podem ser lidos por si. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Isto significa que as mensagens e outros dados armazenados na sua conta só podem ser lidos por si. #### :material-information-outline:{ .pg-blue } Encriptação de Correio Eletrónico @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## E-mail auto-hospedado Os administradores de sistemas avançados podem considerar a possibilidade de configurar o seu próprio servidor de e-mail. Os servidores de e-mail requerem atenção e manutenção contínua para se manterem seguros e para que a entrega de e-mail seja fiável. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Consideramos que estas características são importantes para podermos prestar u **Mínimos de qualificação:** -- Encriptação de todos os dados da conta de e-mail em estado de repouso, com encriptação de acesso zero. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Funciona com uma infraestrutura própria, isto é, não se baseia em fornecedores de serviços de e-mail de terceiros. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Os nomes de domínio personalizados são importantes para os utilizadores, porque lhes permitem manter a sua agência do serviço, caso este se torne mau ou seja adquirido por outra empresa que não dê prioridade à privacidade. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Melhor caso:** -- Encriptação de todos os dados da conta (contactos, calendários, etc.) em estado de repouso, com encriptação de acesso zero. -- Encriptação E2EE/PGP integrada no webmail, fornecida como uma conveniência. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Os utilizadores do GnuPG podem obter uma chave escrevendo: `gpg --locate-key example_user@example.com` -- Suporte para uma caixa de correio temporária para utilizadores externos. Isto é útil quando se pretende enviar uma mensagem de e-mail encriptada, sem enviar uma cópia real ao destinatário. Estas mensagens de e-mail têm normalmente um tempo de vida limitado e depois são automaticamente eliminadas. Também não requerem que o destinatário configure qualquer criptografia como o OpenPGP. -- Disponibilidade dos serviços do fornecedor de e-mail através de um serviço onion [](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Os nomes de domínio personalizados são importantes para os utilizadores, porque lhes permitem manter a sua agência do serviço, caso este se torne mau ou seja adquirido por outra empresa que não dê prioridade à privacidade. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Suporte para uma caixa de correio temporária para utilizadores externos. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Estas mensagens de e-mail têm normalmente um tempo de vida limitado e depois são automaticamente eliminadas. Também não requerem que o destinatário configure qualquer criptografia como o OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Os nomes de domínio personalizados são importantes para os utilizadores, porque lhes permitem manter a sua agência do serviço, caso este se torne mau ou seja adquirido por outra empresa que não dê prioridade à privacidade. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacidade @@ -337,30 +342,30 @@ Preferimos que os nossos fornecedores recomendados recolham o mínimo de dados p **Mínimos de qualificação:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Não exigir informações de identificação pessoal (PII) para além de um nome de utilizador e uma palavra-passe. -- Política de privacidade que cumpra os requisitos definidos pelo RGPD. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Melhor caso:** -- Aceitação de [opções de pagamento anónimas](advanced/payments.md) ([criptomoeda](cryptocurrency.md), dinheiro, cartões de oferta, etc.) -- Alojamento numa jurisdição com leis rigorosas de proteção da privacidade do e-mail. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Segurança -Os servidores de e-mail lidam com uma grande quantidade de dados muito sensíveis. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Mínimos de qualificação:** -- Proteção do webmail com 2FA, como o TOTP. -- Zero access encryption, which builds on encryption at rest. Vedar o acesso do fornecedor às chaves de desencriptação dos dados. Isto impede que um funcionário desonesto divulgue os dados a que tem acesso ou que um adversário remoto divulgue os dados que roubou ao obter acesso não autorizado ao servidor. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. Vedar o acesso do fornecedor às chaves de desencriptação dos dados. Isto impede que um funcionário desonesto divulgue os dados a que tem acesso ou que um adversário remoto divulgue os dados que roubou ao obter acesso não autorizado ao servidor. - [Suporte DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Uma opção de suite de servidor (opcional no TLSv1.3) para suites de cifras fortes que suportem encaminhamento sigiloso e encriptação autenticada. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Uma política válida [MTA-STS](https://tools.ietf.org/html/rfc8461) e [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Registos [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) válidos. - Registos [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) válidos. -- Registo e política [DMARC](https://en.wikipedia.org/wiki/DMARC) adequados ou [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) para autenticação. Se estiver a ser utilizada a autenticação DMARC, a política deve ser definida como `reject` ou `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Se estiver a ser utilizada a autenticação DMARC, a política deve ser definida como `reject` ou `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - Submissão [SMTPS](https://en.wikipedia.org/wiki/SMTPS), assumindo que é utilizado o SMTP. - Normas de segurança de sites Web, tais como: @@ -370,10 +375,10 @@ Os servidores de e-mail lidam com uma grande quantidade de dados muito sensívei **Melhor caso:** -- Suporte para autenticação de hardware, isto é. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [Registo de Recursos de Autorização de Autoridade de Certificação (CAA) do DNS](https://tools.ietf.org/html/rfc6844), para além do suporte DANE. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Auditorias de segurança publicadas por uma empresa terceira de renome. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Programas de recompensa de bugs e/ou um processo coordenado de divulgação de vulnerabilidades. - Normas de segurança de sites Web, tais como: - [Política de segurança de conteúdo (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Os servidores de e-mail lidam com uma grande quantidade de dados muito sensívei ### Confiança -Se não confiaria as suas finanças a alguém com uma identidade falsa, por que razão deveria confiar-lhe o seu e-mail? Exigimos que os nossos fornecedores recomendados sejam transparentes quanto à sua propriedade ou liderança. Gostaríamos também de ver relatórios de transparência frequentes, especialmente no que diz respeito à forma como os pedidos do governo são tratados. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Exigimos que os nossos fornecedores recomendados sejam transparentes em relação à sua propriedade ou liderança. Gostaríamos também de ver relatórios de transparência frequentes, especialmente no que diz respeito à forma como os pedidos do governo são tratados. **Mínimos de qualificação:** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Mínimos de qualificação:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Reivindicações de "encriptação inquebrável" A encriptação deve ser utilizada com a consciência de poder vir a não ser secreta no futuro, quando existir tecnologia para a decifrar. -- Garantir a proteção do anonimato a 100%. Quando alguém afirma que algo é 100%, significa que não há possibilidade de falha. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Impressão digital do browser](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Impressão digital do browser](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Melhor caso:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Funcionalidade adicional -Embora não sejam requisitos obrigatórios, existem outros fatores de conveniência ou privacidade que analisámos ao determinar os fornecedores a recomendar. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/pt/os/android-overview.md b/i18n/pt/os/android-overview.md index d662dc68..23e9da85 100644 --- a/i18n/pt/os/android-overview.md +++ b/i18n/pt/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/ru/basics/account-creation.md b/i18n/ru/basics/account-creation.md index 2b3243e4..d8ad095a 100644 --- a/i18n/ru/basics/account-creation.md +++ b/i18n/ru/basics/account-creation.md @@ -42,7 +42,7 @@ The Privacy Policy is how the service says they will use your data, and it is wo #### Псевдонимы электронной почты -Если вы не хотите предоставлять сервису свой настоящий адрес электронной почты, у вас есть возможность использовать псевдоним. Более подробно мы описали их на странице рекомендаций по использованию сервисов электронной почты. По сути, службы почты позволяют создавать новые адреса электронной почты, которые пересылают все письма на ваш основной адрес. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Они могут быть автоматически отфильтрованы на основе псевдонима, на который они отправлены. +Если вы не хотите предоставлять сервису свой настоящий адрес электронной почты, у вас есть возможность использовать псевдоним. We describe them in more detail on our email services recommendation page. По сути, службы почты позволяют создавать новые адреса электронной почты, которые пересылают все письма на ваш основной адрес. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Они могут быть автоматически отфильтрованы на основе псевдонима, на который они отправлены. Если сервис будет взломан, вы можете начать получать фишинговые или спамерские письма на адрес, который вы использовали при регистрации. Использование уникальных псевдонимов для каждого сервиса может помочь определить, какой именно сервис был взломан. @@ -50,19 +50,19 @@ The Privacy Policy is how the service says they will use your data, and it is wo ### "Войти с помощью..." (OAuth) -OAuth - это протокол аутентификации, который позволяет вам зарегистрироваться на сервисе, не передавая поставщику услуг много информации, используя вместо этого существующую учетную запись, имеющуюся у вас в другом сервисе. Если в форме регистрации вы видите что-то вроде "Войти с помощью *название сервиса*", это, как правило, использование OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Если в форме регистрации вы видите что-то вроде "Войти с помощью *название сервиса*", это, как правило, использование OAuth. При входе с помощью OAuth откроется страница входа в систему с выбранным вами провайдером, а ваша существующая учетная запись и новая учетная запись будут связаны. Ваш пароль не будет передан, но некоторая основная информация обычно передается (вы можете просмотреть ее во время запроса на вход). Этот процесс необходим каждый раз, когда вы хотите войти в одну и ту же учетную запись. Основными преимуществами являются: -- **Безопасность**: вам не придется доверять методам безопасности сервиса, в который вы входите, когда речь идет о хранении ваших учетных данных, поскольку они хранятся у внешнего провайдера OAuth, который, если речь идет о таких сервисах, как Apple и Google, обычно следует лучшим методам безопасности, постоянно проверяет свои системы аутентификации и не хранит учетные данные в ненадлежащем виде (например, в виде обычного текста). -- **Простота использования**: управление несколькими учетными записями осуществляется с помощью одного логина. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. Но есть и недостатки: -- **Конфиденциальность**: провайдер OAuth, с помощью которого вы входите в систему, будет знать, какими услугами вы пользуетесь. -- **Централизация**: если учётная запись, которую вы используете для OAuth, взломана, или вы не можете войти в неё, все остальные учётные записи, подключённые к ней, будут затронуты. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth может быть особенно полезен в тех случаях, когда вам может быть полезна более глубокая интеграция между сервисами. Наша рекомендация - ограничить использование OAuth только там, где это необходимо, и всегда защищать основной аккаунт с помощью [МФА](multi-factor-authentication.md). diff --git a/i18n/ru/basics/email-security.md b/i18n/ru/basics/email-security.md index 746c33ae..6a951bc2 100644 --- a/i18n/ru/basics/email-security.md +++ b/i18n/ru/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Электронная почта по умолчанию является небезопасной формой коммуникации. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Электронная почта по умолчанию является небезопасной формой коммуникации. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Таким образом, электронную почту лучше всего использовать для получения транзакционных писем (например, уведомлений, писем для проверки, сброса пароля и т.д.) от сайтов, в которых у вас есть аккаунт, а не для общения с другими людьми. ## Обзор шифрования электронной почты -Стандартным способом добавления E2EE в электронные письма между различными поставщиками услуг электронной почты является использование OpenPGP. Существуют различные реализации стандарта OpenPGP, наиболее распространенными из которых являются [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) и [OpenPGP.js](https://openpgpjs.org). +Стандартным способом добавления E2EE в электронные письма между различными поставщиками услуг электронной почты является использование OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Даже если вы используете OpenPGP, он не поддерживает [прямую секретность](https://ru.wikipedia.org/wiki/Perfect_forward_secrecy), что означает, что если ваш закрытый ключ или закрытый ключ получателя когда-либо будет украден, все предыдущие сообщения, зашифрованные с его помощью, могут быть расшифрованы. Именно поэтому мы рекомендуем использовать для общения между людьми [мессенджеры](../real-time-communication.md), которые обеспечивают прямую секретность, а не электронную почту. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Именно поэтому мы рекомендуем использовать для общения между людьми [мессенджеры](../real-time-communication.md), которые обеспечивают прямую секретность, а не электронную почту. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Что такое стандарт Web Key Directory? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email В дополнение к [рекомендованным почтовым клиентам](../email-clients.md), поддерживающим WKD, некоторые браузерные почтовые интерфейсы также поддерживают WKD. Будет ли *ваш личный* ключ опубликован в WKD для других пользователей, зависит от конфигурации вашего домена. Если вы пользуетесь [почтовым провайдером](../email.md#openpgp-compatible-services), поддерживающим WKD, таким как Proton Mail или Mailbox.org, они опубликуют ваш OpenPGP-ключ на своем домене. -Если же вы используете свой собственный домен, вам потребуется настроить WKD отдельно. Если вы контролируете доменное имя, вы можете настроить WKD независимо от почтового провайдера. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Кроме того, можно [запустить WKD на собственном сервере](https://wiki.gnupg.org/WKDHosting). +Если же вы используете свой собственный домен, вам потребуется настроить WKD отдельно. Если вы контролируете доменное имя, вы можете настроить WKD независимо от почтового провайдера. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Кроме того, можно [запустить WKD на собственном сервере](https://wiki.gnupg.org/WKDHosting). -Если вы используете общий домен от провайдера, не поддерживающего WKD, например @gmail.com, вы не сможете поделиться своим OpenPGP-ключом с другими при помощи данного метода. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Какие почтовые клиенты поддерживают E2EE? -Провайдеры электронной почты, позволяющие использовать стандартные протоколы доступа, такие как IMAP и SMTP, можно использовать с любым [ почтовым клиентом, которые мы рекомендуем](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Провайдеры электронной почты, позволяющие использовать стандартные протоколы доступа, такие как IMAP и SMTP, можно использовать с любым [ почтовым клиентом, которые мы рекомендуем](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Как я могу защитить свои приватные ключи? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Обзор метаданных электронной почты -Метаданные электронной почты хранятся в [заголовке птсьма](https://ru.wikipedia.org/wiki/%D0%AD%D0%BB%D0%B5%D0%BA%D1%82%D1%80%D0%BE%D0%BD%D0%BD%D0%B0%D1%8F_%D0%BF%D0%BE%D1%87%D1%82%D0%B0#%D0%97%D0%B0%D0%B3%D0%BE%D0%BB%D0%BE%D0%B2%D0%BA%D0%B8_%D0%BF%D0%B8%D1%81%D1%8C%D0%BC%D0%B0) электронной почты и включают некоторые видимые параметры, которые вы могли видеть, такие как: `Кому`, `От`, `Копия`, `Дата`, `Тема`. Существует также ряд скрытых заголовков, включаемых многими почтовыми клиентами и провайдерами, которые могут раскрыть информацию о вашем аккаунте. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Существует также ряд скрытых заголовков, включаемых многими почтовыми клиентами и провайдерами, которые могут раскрыть информацию о вашем аккаунте. Клиентское программное обеспечение может использовать метаданные электронной почты, чтобы показать, от кого пришло сообщение и в какое время оно было получено. Серверы могут использовать его для определения места отправки сообщения электронной почты, а также для [других целей](https://ru.wikipedia.org/wiki/%D0%AD%D0%BB%D0%B5%D0%BA%D1%82%D1%80%D0%BE%D0%BD%D0%BD%D0%B0%D1%8F_%D0%BF%D0%BE%D1%87%D1%82%D0%B0#%D0%97%D0%B0%D0%B3%D0%BE%D0%BB%D0%BE%D0%B2%D0%BA%D0%B8_%D0%BF%D0%B8%D1%81%D1%8C%D0%BC%D0%B0), которые не всегда прозрачны. ### Кто может просматривать метаданные электронной почты? -Метаданные электронной почты защищены от внешних наблюдателей с помощью [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), но они все еще могут быть видны программному обеспечению вашего почтового клиента (или веб-почты) и любым серверам, передающим сообщение от вас любым получателям, включая вашего поставщика услуг электронной почты. Иногда почтовые серверы для защиты от спама используют сторонние службы, которые, как правило, также имеют доступ к вашим сообщениям. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Иногда почтовые серверы для защиты от спама используют сторонние службы, которые, как правило, также имеют доступ к вашим сообщениям. ### Почему метаданные не могут быть E2EE? -Метаданные электронной почты имеют решающее значение для самой базовой функциональности электронной почты (откуда она пришла и куда должна отправиться). E2EE изначально не был встроен в почтовые протоколы, вместо этого потребовалось дополнительное программное обеспечение, такое как OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Метаданные электронной почты имеют решающее значение для самой базовой функциональности электронной почты (откуда она пришла и куда должна отправиться). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/ru/email-aliasing.md b/i18n/ru/email-aliasing.md index 500c5885..5a1ef551 100644 --- a/i18n/ru/email-aliasing.md +++ b/i18n/ru/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Рекомендованные провайдеры
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Критерии -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/ru/email-clients.md b/i18n/ru/email-clients.md index 02cbb1e2..4f02ec13 100644 --- a/i18n/ru/email-clients.md +++ b/i18n/ru/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Поставщики услуг](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Целевые атаки](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/ru/email.md b/i18n/ru/email.md index ea779cb8..5fcfc70a 100644 --- a/i18n/ru/email.md +++ b/i18n/ru/email.md @@ -22,19 +22,19 @@ global: Для всего остального мы рекомендуем различных провайдеров электронной почты, которые базируются на устойчивых бизнес-моделях и встроенных функциях безопасности и конфиденциальности. Для получения дополнительной информации, ознакомьтесь с [полным списком критериев](#criteria). -| Провайдер | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Анонимные платежи | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Наличные | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Наличные | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Провайдер | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Наличные | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Наличные | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## Сервисы, поддерживающие OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Например, пользователь Proton Mail может отправлять E2EE-зашифрованное сообщение пользователю Mailbox.org, или ты можешь получить OpenPGP-зашифрованное уведомление от интернет-сервисов, поддерживающих такую функцию. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Например, пользователь Proton Mail может отправлять E2EE-зашифрованное сообщение пользователю Mailbox.org, или ты можешь получить OpenPGP-зашифрованное уведомление от интернет-сервисов, поддерживающих такую функцию.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key Когда вы используете технологию E2EE вроде OpenPGP, электронные письма все равно содержат некоторые незашифрованные метаданные в заголовках письма, в том числе тему! Узнайте больше о [метаданных электронной почты](basics/email-security.md#email-metadata-overview). -OpenPGP также не поддерживает прямую секретность, поэтому если ваш приватный ключ или ключ адресата будет украден, все предыдущие сообщения, зашифрованные с его помощью, будут раскрыты. [Как я могу защитить свои приватные ключи?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP также не поддерживает прямую секретнос ![Логотип Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** — это сервис электронной почты, фокусирующийся на приватности, шифровании, безопасности и простоте использования. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** — это сервис электронной почты, фокусирующийся на приватности, шифровании, безопасности и простоте использования. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP также не поддерживает прямую секретнос -Бесплатные аккаунты имеют некоторые ограничения, такие как невозможность поиска писем по седержимому и отсутствие доступа к [Proton Mail Bridge](https://proton.me/mail/bridge), который необходим для использования [рекомендуемого настольного почтового клиента](email-clients.md) (например, Thunderbird). Платные аккаунты включают такие функции, как Proton Mail Bridge, дополнительное хранилище и поддержку пользовательских доменов. [Аттестационное письмо](https://proton.me/blog/security-audit-all-proton-apps) было предоставлено для приложений Proton Mail 9 ноября 2021 года компанией [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Платные аккаунты включают такие функции, как Proton Mail Bridge, дополнительное хранилище и поддержку пользовательских доменов. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +[Аттестационное письмо](https://proton.me/blog/security-audit-all-proton-apps) было предоставлено для приложений Proton Mail 9 ноября 2021 года компанией [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green } Конфиденциальные способы оплаты -Proton Mail [принимает](https://proton.me/support/payment-options) наличные по почте в дополнение к стандартным платежам кредитными/дебетовыми картами, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), и PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Безопасность аккаунта @@ -109,7 +113,7 @@ Proton Mail использует [шифрование с нулевым дос Proton Mail [интегрировал шифрование OpenPGP](https://proton.me/support/how-to-use-pgp) в свою веб-почту. Письма, отправленные на другие аккаунты Proton Mail шифруются автоматически. Шифрование писем с помощью ключа OpenPGP на адреса, не принадлежащие Proton Mail, можно легко включить в настройках аккаунта. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. Это позволяет людям, не использующим Proton Mail, легко находить OpenPGP-ключи учетных записей Proton Mail для кросс-провайдерского E2EE. Это относится только к адресам электронной почты, заканчивающимся на один из собственных доменов "Протона", например @proton.me. При использовании кастомного домена необходимо [настроить WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) отдельно. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Блокировка аккаунта @@ -117,17 +121,17 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } Дополнительная функциональность -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail не предлагает функцию цифрового наследия. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** - это сервис электронной почты, ориентированный на безопасность, отсутствие рекламы и приватное электроснабжение от 100% экологически чистой энергии. Они работают с 2014 года. Mailbox.org базируется в Берлине, Германия. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Они работают с 2014 года. Mailbox.org базируется в Берлине, Германия. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Конфиденциальные способы оплаты -Mailbox.org не принимает криптовалюты в связи с тем, что их платежная система BitPay приостановила работу в Германии. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org не принимает криптовалюты в связи с тем, что их платежная система BitPay приостановила работу в Германии. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Безопасность аккаунта -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Веб-стандарты, такие, как [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), пока не поддерживаются. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Безопасность данных Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Новые сообщения, которые ты получаешь, будут немедленно зашифрованы твоим открытым ключом. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. [Отдельное решение](calendar.md) может больше подойти для этой информации. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Шифрование электронной почты Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. Эта функция полезна, когда получатель не имеет OpenPGP и не может расшифровать копию письма в собственном почтовом ящике. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Это позволяет людям, не использующим Mailbox.org, легко находить OpenPGP-ключи учетных записей Mailbox.org для кросс-провайдерского E2EE. Это относится только к адресам электронной почты, заканчивающимся на один из собственных доменов "Mailbox.org", например @mailbox.org. При использовании кастомного домена необходимо [настроить WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) отдельно. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Блокировка аккаунта @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org также поддерживает [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) в дополнение к стандартным протоколам доступа, таким как IMAP и POP3. -Mailbox.org имеет функцию цифрового наследия для всех тарифных планов. Ты можешь выбрать, хочешь ли ты, чтобы какие-либо из твоих данных были переданы твоим наследникам, при условии, что они подадут заявление и предоставят твоё завещание. Кроме того, ты можешь назначить наследника по имени и адресу. +Mailbox.org имеет функцию цифрового наследия для всех тарифных планов. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Кроме того, ты можешь назначить наследника по имени и адресу. ## Дополнительные провайдеры @@ -195,7 +199,9 @@ Mailbox.org имеет функцию цифрового наследия для ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Конфиденциальные способы оплаты -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Безопасность аккаунта @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Безопасность данных -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Это означает, что сообщения и другие данные, хранящиеся на твоём аккаунте, доступны для чтения только тебе. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Это означает, что сообщения и другие данные, хранящиеся на твоём аккаунте, доступны для чтения только тебе. #### :material-information-outline:{ .pg-blue } Шифрование электронной почты @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Электронная почта для самостоятельного хостинга Продвинутые системные администраторы могут рассмотреть возможность создания собственного сервера электронной почты. Почтовые серверы требуют внимания и постоянного обслуживания, чтобы поддерживать безопасность и надежность доставки почты. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **Минимальные требования:** -- Шифрует данные аккаунта электронной почты в состоянии покоя с помощью шифрования с нулевым доступом. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Работает на собственной инфраструктуре, т.е. не опирается на сторонних провайдеров электронной почты. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Пользовательские доменные имена важны для пользователей, поскольку позволяют им сохранить свое агентство от сервиса, если он окажется плохим или будет приобретен другой компанией, которая не уделяет приоритетного внимания конфиденциальности. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **В лучшем случае:** -- Шифрует все данные аккаунта (Контакты, Календари и т.д.) в состоянии покоя с помощью шифрования с нулевым доступом. -- Встроенное шифрование веб-почты E2EE/PGP обеспечивает удобство. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. Пользователи GnuPG могут получить ключ, набрав: `gpg --locate-key example_user@example.com` -- Поддержка временного почтового ящика для внешних пользователей. Это полезно, когда вы хотите отправить зашифрованное сообщение электронной почты, не отправляя фактическую копию получателю. Такие письма обычно имеют ограниченный срок действия, а затем автоматически удаляются. Они также не требуют от получателя настройки какой-либо криптографии, как OpenPGP. -- Доступность услуг провайдера электронной почты через [службу .onion](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Пользовательские доменные имена важны для пользователей, поскольку позволяют им сохранить свое агентство от сервиса, если он окажется плохим или будет приобретен другой компанией, которая не уделяет приоритетного внимания конфиденциальности. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Поддержка временного почтового ящика для внешних пользователей. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. Такие письма обычно имеют ограниченный срок действия, а затем автоматически удаляются. Они также не требуют от получателя настройки какой-либо криптографии, как OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Пользовательские доменные имена важны для пользователей, поскольку позволяют им сохранить свое агентство от сервиса, если он окажется плохим или будет приобретен другой компанией, которая не уделяет приоритетного внимания конфиденциальности. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Конфиденциальность @@ -337,30 +342,30 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **Минимальные требования:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Не требуйте личной идентификационной информации (PII), кроме имени пользователя и пароля. -- Политика конфиденциальности, отвечающая требованиям GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **В лучшем случае:** -- Принимает [анонимные варианты оплаты](advanced/payments.md) ([криптовалюту](cryptocurrency.md), наличные, подарочные карты и т.д.) -- Хостинг в юрисдикции с сильными законами о защите конфиденциальности электронной почты. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Безопасность -Серверы электронной почты работают с большим количеством очень конфиденциальных данных. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Минимальные требования:** -- Защита веб-почты с помощью 2FA, например, TOTP. -- Zero access encryption, which builds on encryption at rest. Провайдер не имеет ключей расшифровки для хранящихся у него данных. Это предотвращает утечку данных, к которым имеет доступ недобросовестный сотрудник. Или утечку данных, которые злоумышленник украл, получив несанкционированный доступ к серверу. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. Провайдер не имеет ключей расшифровки для хранящихся у него данных. Это предотвращает утечку данных, к которым имеет доступ недобросовестный сотрудник. Или утечку данных, которые злоумышленник украл, получив несанкционированный доступ к серверу. - Поддержка [DNSSEC](https://ru.wikipedia.org/wiki/DNSSEC). - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- Настройки сервера (опционально для TLSv1.3) для сильных наборов шифров, которые поддерживают прямую секретность и аутентифицированное шифрование. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - Действующая политика [MTA-STS](https://tools.ietf.org/html/rfc8461) и [TLS-RPT](https://tools.ietf.org/html/rfc8460). - Действительные записи [DANE](https://ru.wikipedia.org/wiki/DANE). - Действительные записи [SPF](https://ru.wikipedia.org/wiki/Sender_Policy_Framework) и [DKIM](https://ru.wikipedia.org/wiki/DomainKeys_Identified_Mail). -- Имеет надлежащую политику и запись [DMARC](https://ru.wikipedia.org/wiki/DMARC) или использует [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) для аутентификации. Если используется DMARC-аутентификация, политика должна быть установлена на `reject` или `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. Если используется DMARC-аутентификация, политика должна быть установлена на `reject` или `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) отправка, при условии использования SMTP. - Стандарты безопасности веб-сайта, такие как: @@ -370,10 +375,10 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **В лучшем случае:** -- Поддержка аппаратной аутентификации, т.е. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [Запись ресурса DNS Certification Authority Authorization (CAA)](https://tools.ietf.org/html/rfc6844) в дополнение к поддержке DANE. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Опубликованные аудиты безопасности от авторитетной сторонней фирмы. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Программы "bug-bounty" и/или скоординированный процесс раскрытия информации об уязвимостях. - Стандарты безопасности веб-сайта, такие как: - [Политика безопасности контента (CSP, Content-Security-Policy)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,7 +386,7 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit ### Доверие -Вы бы не доверили свои финансы человеку с фальшивой личностью, так зачем доверять ему свою электронную почту? Мы требуем, чтобы рекомендованные нами поставщики услуг открыто заявляли о своих владельцах или своём руководстве. Мы также хотели бы видеть частые отчеты о прозрачности, особенно в отношении того, как обрабатываются правительственные запросы. +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Мы требуем, чтобы рекомендованные нами поставщики услуг открыто заявляли о своих владельцах или своём руководстве. Мы также хотели бы видеть частые отчеты о прозрачности, особенно в отношении того, как обрабатываются правительственные запросы. **Минимальные требования:** @@ -398,19 +403,16 @@ With the email providers we recommend, we like to see responsible marketing. **Минимальные требования:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Заявления о "невзламываемом шифровании." Шифрование должно использоваться с тем расчетом, что в будущем, когда появится технология для его взлома, оно может оказаться не секретным. -- Предоставление гарантий защиты анонимности на 100%. Когда кто-то утверждает: "Это является на 100% ..." - это не означает, что кто-то не может ошибиться. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Цифровые отпечатки браузера](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Цифровые отпечатки браузера](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **В лучшем случае:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Дополнительная функциональность -Хотя это и не является строгими требованиями, существуют и другие факторы удобства или конфиденциальности, на которые мы обращали внимание при выборе рекомендуемых провайдеров. +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ru/os/android-overview.md b/i18n/ru/os/android-overview.md index 30d88955..1c6433eb 100644 --- a/i18n/ru/os/android-overview.md +++ b/i18n/ru/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr Программа дополнительной защиты обеспечивает усиленный мониторинг угроз и активирует: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Только Google и проверенные сторонние приложения могут получить доступ к данным аккаунта - Сканирование входящих писем на аккаунтах Gmail на наличие [фишинга](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Отключите эту функцию, чтобы ограничить объем собираемых о вас данных. -В дистрибутивах андроид с [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), откройте :gear: **Настройки** → **Приложения** → **Sandboxed Google Play** → **Google Settings** → **Реклама**, и выберите *Удалить рекламный идентификатор*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Проверьте diff --git a/i18n/sv/basics/account-creation.md b/i18n/sv/basics/account-creation.md index e169792b..873c28b3 100644 --- a/i18n/sv/basics/account-creation.md +++ b/i18n/sv/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Logga in med..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/sv/basics/email-security.md b/i18n/sv/basics/email-security.md index c08abd0a..88127910 100644 --- a/i18n/sv/basics/email-security.md +++ b/i18n/sv/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -E-post är som standard en osäker kommunikationsform. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +E-post är som standard en osäker kommunikationsform. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. E-post används därför bäst för att ta emot transaktionsmeddelanden (t. ex. meddelanden, verifieringsmeddelanden, lösenordsåterställning osv.) från de tjänster du registrerar dig för online, inte för att kommunicera med andra. ## E-post-krypteringsnycklar -Standardmetoden för att lägga till E2EE i e-postmeddelanden mellan olika e-postleverantörer är att använda OpenPGP. Det finns olika implementeringar av OpenPGP-standarden, de vanligaste är [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) och [OpenPGP.js](https://openpgpjs.org). +Standardmetoden för att lägga till E2EE i e-postmeddelanden mellan olika e-postleverantörer är att använda OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Även om du använder OpenPGP har det inte stöd för [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), vilket innebär att om antingen din eller mottagarens privata nyckel någonsin stjäls kommer alla tidigare meddelanden som krypterats med den att avslöjas. Det är därför vi rekommenderar [snabbmeddelanden](../real-time-communication.md) som implementerar vidarebefordran av sekretess via e-post för person-till-person-kommunikation när det är möjligt. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Det är därför vi rekommenderar [snabbmeddelanden](../real-time-communication.md) som implementerar vidarebefordran av sekretess via e-post för person-till-person-kommunikation när det är möjligt. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Vilka e-postklienter stöder E2EE? -E-postleverantörer som tillåter dig att använda standardprotokoll som IMAP och SMTP kan användas med någon av de e-postklienter på [som vi rekommenderar](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +E-postleverantörer som tillåter dig att använda standardprotokoll som IMAP och SMTP kan användas med någon av de e-postklienter på [som vi rekommenderar](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Hur skyddar jag mina privata nycklar? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Översikt över metadata för e-post -E-postmetadata lagras i e-postmeddelandets [meddelandehuvud](https://en.wikipedia.org/wiki/Email#Message_header) och innehåller några synliga rubriker som du kanske har sett, t.ex: `To`, `From`, `Cc`, `Date`, `Subject`. Det finns också ett antal dolda rubriker som ingår i många e-postklienter och e-postleverantörer och som kan avslöja information om ditt konto. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Det finns också ett antal dolda rubriker som ingår i många e-postklienter och e-postleverantörer och som kan avslöja information om ditt konto. Klientprogram kan använda metadata för e-post för att visa vem ett meddelande är från och när det togs emot. Servrar kan använda den för att avgöra var ett e-postmeddelande måste skickas, bland [andra ändamål](https://en.wikipedia.org/wiki/Email#Message_header) som inte alltid är transparenta. ### Vem kan se metadata för e-post? -E-postmetadata skyddas från utomstående observatörer med [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) som skyddar dem från utomstående observatörer, men de kan fortfarande ses av din e-postklientprogramvara (eller webbmail) och alla servrar som vidarebefordrar meddelandet från dig till mottagare, inklusive din e-postleverantör. Ibland använder e-postservrar också tjänster från tredje part för att skydda sig mot skräppost, som i allmänhet också har tillgång till dina meddelanden. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Ibland använder e-postservrar också tjänster från tredje part för att skydda sig mot skräppost, som i allmänhet också har tillgång till dina meddelanden. ### Varför kan metadata inte vara E2EE? -Metadata för e-post är avgörande för e-postens mest grundläggande funktionalitet (varifrån den kom och vart den ska ta vägen). E2EE var ursprungligen inte inbyggt i e-postprotokollen, utan krävde istället tilläggsprogram som OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Metadata för e-post är avgörande för e-postens mest grundläggande funktionalitet (varifrån den kom och vart den ska ta vägen). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/sv/email-aliasing.md b/i18n/sv/email-aliasing.md index f770c9aa..a2a09d8f 100644 --- a/i18n/sv/email-aliasing.md +++ b/i18n/sv/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Kriterier -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/sv/email-clients.md b/i18n/sv/email-clients.md index ef76f865..fc2ff455 100644 --- a/i18n/sv/email-clients.md +++ b/i18n/sv/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Tjänsteleverantörer](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Riktade attacker](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/sv/email.md b/i18n/sv/email.md index 07d5b155..c98c48ca 100644 --- a/i18n/sv/email.md +++ b/i18n/sv/email.md @@ -22,19 +22,19 @@ E-post är i praktiken en nödvändighet för att använda internettjänster, me For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Läs vår [fullständiga lista över kriterier](#criteria) för mer information. -| Leverantör | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonyma betalningar | -| --------------------------- | -------------------------------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------- | -------------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Endast för betalda prenumerationer | :material-check:{ .pg-green } | Kontant | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Endast e-post | Kontant | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Kontant via tredje part | +| Leverantör | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Endast för betalda prenumerationer | :material-check:{ .pg-green } | Kontant | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Endast e-post | Kontant | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** är en e-posttjänst med fokus på ,integritet, kryptering, säkerhet, och användarvänlighet. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** är en e-posttjänst med fokus på ,integritet, kryptering, säkerhet, och användarvänlighet. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta har varit verksamt sedan 2011 och har sitt säte i Hannover, Tyskland. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta har varit verksamt sedan 2011 och har sitt säte i Hannover, Tyskland. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Självhanterande e-post Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F och [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F och [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Tydlig och lättläst dokumentation för uppgifter som att ställa in 2FA, e-postklienter, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/sv/os/android-overview.md b/i18n/sv/os/android-overview.md index 6f654445..86123280 100644 --- a/i18n/sv/os/android-overview.md +++ b/i18n/sv/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/tr/basics/account-creation.md b/i18n/tr/basics/account-creation.md index 405f9aae..934a0d97 100644 --- a/i18n/tr/basics/account-creation.md +++ b/i18n/tr/basics/account-creation.md @@ -42,7 +42,7 @@ Oturum açma kimlik bilgilerinizi yönetmekten siz sorumlu olacaksınız. Daha f #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/tr/basics/email-security.md b/i18n/tr/basics/email-security.md index 8448e62d..5a77638b 100644 --- a/i18n/tr/basics/email-security.md +++ b/i18n/tr/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -E-posta varsayılan olarak güvensiz bir iletişim şeklidir. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +E-posta varsayılan olarak güvensiz bir iletişim şeklidir. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Sonuç olarak e-posta, başkalarıyla iletişim kurmak için değil, çevrimiçi olarak kaydolduğunuz hizmetlerden işlem e-postaları (bildirimler, doğrulama e-postaları, parola sıfırlama vb. gibi) almak için en iyi şekilde kullanılır. ## E-posta Şifrelemeye Genel Bakış -Farklı e-posta sağlayıcıları arasındaki e-postalara uçtan uca şifreleme eklemenin standart yolu OpenPGP kullanmaktır. OpenPGP standardının farklı uygulamaları vardır, en yaygın olanları [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) ve [OpenPGP.js](https://openpgpjs.org). +Farklı e-posta sağlayıcıları arasındaki e-postalara uçtan uca şifreleme eklemenin standart yolu OpenPGP kullanmaktır. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Bu nedenle, mümkün olduğunca kişiden kişiye iletişim için e-posta yerine ileri gizlilik uygulayan [anlık mesajlaşma programlarını](../real-time-communication.md) öneriyoruz. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Bu nedenle, mümkün olduğunca kişiden kişiye iletişim için e-posta yerine ileri gizlilik uygulayan [anlık mesajlaşma programlarını](../real-time-communication.md) öneriyoruz. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/tr/email-aliasing.md b/i18n/tr/email-aliasing.md index f2dd3ee2..60e925a7 100644 --- a/i18n/tr/email-aliasing.md +++ b/i18n/tr/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Önerilen Sağlayıcılar
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Kriter -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/tr/email-clients.md b/i18n/tr/email-clients.md index a624fb91..2b4d0a84 100644 --- a/i18n/tr/email-clients.md +++ b/i18n/tr/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Hedefli Saldırılar](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/tr/email.md b/i18n/tr/email.md index 5a672187..ebd9d558 100644 --- a/i18n/tr/email.md +++ b/i18n/tr/email.md @@ -22,19 +22,19 @@ E-posta, herhangi bir çevrimiçi hizmeti kullanmak için pratikte bir gereklili Diğer her şey için, sürdürülebilir iş modellerine ve yerleşik güvenlik ve gizlilik özelliklerine dayalı çeşitli e-posta sağlayıcıları öneriyoruz. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Uyumlu Hizmetler -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Örneğin, bir Proton Mail kullanıcısı bir Mailbox.org kullanıcısına bir uçtan uca şifreli mesaj gönderebilir, veya bunu destekleyen internet hizmetlerinden OpenPGP şifreli bildirimler alabilirsiniz. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Örneğin, bir Proton Mail kullanıcısı bir Mailbox.org kullanıcısına bir uçtan uca şifreli mesaj gönderebilir, veya bunu destekleyen internet hizmetlerinden OpenPGP şifreli bildirimler alabilirsiniz.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logosu](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** gizlilik, şifreleme, güvenlik ve kullanım kolaylığına odaklanan bir e-posta hizmetidir. **2013** yılından beri faaliyet göstermektedirler. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** gizlilik, şifreleme, güvenlik ve kullanım kolaylığına odaklanan bir e-posta hizmetidir. **2013** yılından beri faaliyet göstermektedirler. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Ücretli hesaplar Proton Mail Bridge, ek depolama alanı ve özel alan adı desteği gibi özellikler içerir. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Ücretli hesaplar Proton Mail Bridge, ek depolama alanı ve özel alan adı desteği gibi özellikler içerir. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Gizli Ödeme Yöntemleri -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Hesap Güvenliği @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Diğer Proton Mail hesaplarına gönderilen e-postalar otomatik olarak şifrelenir ve Proton Mail dışındaki adresler için OpenPGP anahtarıyla şifreleme, hesap ayarlarından kolayca etkinleştirilebilir. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail dijital miras özelliği sunmuyor. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail dijital miras özelliği sunmuyor. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Gizli Ödeme Yöntemleri -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Hesap Güvenliği -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } E-posta Şifreleme Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta 2011 yılından beri faaliyet göstermektedir ve merkezi Almanya'nın Hannover kentindedir. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta 2011 yılından beri faaliyet göstermektedir ve merkezi Almanya'nın Hannover kentindedir. + +Ücretsiz hesaplar 1 GB depolama alanı ile başlar. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Hesap Güvenliği @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Veri Güvenliği -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/tr/os/android-overview.md b/i18n/tr/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/tr/os/android-overview.md +++ b/i18n/tr/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/uk/basics/account-creation.md b/i18n/uk/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/uk/basics/account-creation.md +++ b/i18n/uk/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/uk/basics/email-security.md b/i18n/uk/basics/email-security.md index 247fd4a9..f687cf51 100644 --- a/i18n/uk/basics/email-security.md +++ b/i18n/uk/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Електронна пошта за замовчуванням є незахищеною формою комунікації. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Електронна пошта за замовчуванням є незахищеною формою комунікації. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. Як наслідок, електронну пошту найкраще використовувати для отримання транзакційних повідомлень (наприклад, сповіщень, підтверджень, скидання паролів тощо) від сервісів, на які ви зареєструвалися в Інтернеті, а не для спілкування з іншими людьми. ## Огляд шифрування електронної пошти -Стандартним способом додавання E2EE до листів між різними поштовими провайдерами є використання OpenPGP. Існують різні реалізації стандарту OpenPGP, найпоширенішими з яких є [GnuPG](https://uk.wikipedia.org/wiki/GNU_Privacy_Guard) та [OpenPGP.js](https://openpgpjs.org). +Стандартним способом додавання E2EE до листів між різними поштовими провайдерами є використання OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Навіть якщо ви використовуєте OpenPGP, він не підтримує [Пряму секретність](https://uk.wikipedia.org/wiki/%D0%9F%D1%80%D1%8F%D0%BC%D0%B0_%D1%81%D0%B5%D0%BA%D1%80%D0%B5%D1%82%D0%BD%D1%96%D1%81%D1%82%D1%8C), що означає, якщо закритий ключ ваш або одержувача буде викрадено, всі попередні повідомлення, зашифровані за допомогою цього ключа, будуть відкриті. Ось чому ми рекомендуємо [месенджери](../real-time-communication.md), які реалізують пряму секретність через електронну пошту для особистого спілкування, коли це можливо. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. Ось чому ми рекомендуємо [месенджери](../real-time-communication.md), які реалізують пряму секретність через електронну пошту для особистого спілкування, коли це можливо. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Що таке стандарт Web Key Directory? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email На додачу до [рекомендованих поштових клієнтів](../email-clients.md), які підтримують WKD, деякі провайдери вебпошти також підтримують WKD. Чи буде *ваш власний ключ* опублікований у WKD для використання іншими, залежить від конфігурації вашого домену. Якщо ви використовуєте [провайдера електронної пошти](../email.md#openpgp-compatible-services), який підтримує WKD, наприклад, Proton Mail або Mailbox.org, вони можуть опублікувати для вас ваш ключ OpenPGP на своєму домені. -Якщо ви використовуєте власний домен, вам потрібно буде налаштувати WKD окремо. Якщо ви контролюєте своє доменне ім'я, ви можете налаштувати WKD незалежно від провайдера електронної пошти. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Крім того, ви можете [самостійно розмістити WKD на власному веб-сервері](https://wiki.gnupg.org/WKDHosting). +Якщо ви використовуєте власний домен, вам потрібно буде налаштувати WKD окремо. Якщо ви контролюєте своє доменне ім'я, ви можете налаштувати WKD незалежно від провайдера електронної пошти. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Крім того, ви можете [самостійно розмістити WKD на власному веб-сервері](https://wiki.gnupg.org/WKDHosting). -Якщо ви використовуєте домен від провайдера, який не підтримує WKD, наприклад @gmail.com, ви не зможете поділитися своїм ключем OpenPGP з іншими за допомогою цього методу. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### Які поштові клієнти підтримують E2EE? -Провайдери електронної пошти, які дозволяють використовувати стандартні протоколи, такі як IMAP та SMTP, можна використовувати з будь-яким з [рекомендованими поштовими клієнтами](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Провайдери електронної пошти, які дозволяють використовувати стандартні протоколи, такі як IMAP та SMTP, можна використовувати з будь-яким з [рекомендованими поштовими клієнтами](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### Як захистити свої приватні ключі? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Огляд метаданих електронної пошти -Метадані електронного листа зберігаються в [заголовку](https://uk.wikipedia.org/wiki/%D0%95%D0%BB%D0%B5%D0%BA%D1%82%D1%80%D0%BE%D0%BD%D0%BD%D0%B0_%D0%BF%D0%BE%D1%88%D1%82%D0%B0#%D0%97%D0%B0%D0%B3%D0%BE%D0%BB%D0%BE%D0%B2%D0%BA%D0%B8_%D0%BB%D0%B8%D1%81%D1%82%D0%B0) повідомлення електронної пошти і включають деякі видимі поля, такі як `Кому`, `Від`, `Копія`, `Дата`, `Тема`. Існує також низка прихованих заголовків, які включаються багатьма поштовими клієнтами та провайдерами і можуть розкрити інформацію про ваш обліковий запис. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. Існує також низка прихованих заголовків, які включаються багатьма поштовими клієнтами та провайдерами і можуть розкрити інформацію про ваш обліковий запис. Клієнтське програмне забезпечення може використовувати метадані електронної пошти, щоб показати, від кого надійшло повідомлення і в який час воно було отримано. Сервери можуть використовувати їх, щоб визначити, куди потрібно відправити електронне повідомлення, серед [інших цілей](https://uk.wikipedia.org/wiki/%D0%95%D0%BB%D0%B5%D0%BA%D1%82%D1%80%D0%BE%D0%BD%D0%BD%D0%B0_%D0%BF%D0%BE%D1%88%D1%82%D0%B0#%D0%97%D0%B0%D0%B3%D0%BE%D0%BB%D0%BE%D0%B2%D0%BA%D0%B8_%D0%BB%D0%B8%D1%81%D1%82%D0%B0), які не завжди є прозорими. ### Хто може переглядати метадані електронної пошти? -Метадані електронної пошти захищені від сторонніх спостерігачів за допомогою [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), але їх все одно може бачити програмне забезпечення вашого поштового клієнта (або веб-пошти) і будь-які сервери, що передають повідомлення від вас будь-яким одержувачам, включаючи вашого провайдера електронної пошти. Іноді поштові сервери також використовують сторонні сервіси для захисту від спаму, які, як правило, також мають доступ до ваших повідомлень. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Іноді поштові сервери також використовують сторонні сервіси для захисту від спаму, які, як правило, також мають доступ до ваших повідомлень. ### Чому метадані не можуть бути E2EE? -Метадані електронної пошти мають вирішальне значення для базової функціональності електронної пошти (звідки вона прийшла і куди має надійти). Спочатку E2EE не був вбудований в протоколи електронної пошти, натомість вимагав додаткового програмного забезпечення, такого як OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Метадані електронної пошти мають вирішальне значення для базової функціональності електронної пошти (звідки вона прийшла і куди має надійти). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/uk/email-aliasing.md b/i18n/uk/email-aliasing.md index bc73aeb2..0c912194 100644 --- a/i18n/uk/email-aliasing.md +++ b/i18n/uk/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Рекомендовані DNS-провайдери
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/uk/email-clients.md b/i18n/uk/email-clients.md index eec12ee6..cfe7a091 100644 --- a/i18n/uk/email-clients.md +++ b/i18n/uk/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Постачальники послуг](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Цілеспрямовані атаки](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/uk/email.md b/i18n/uk/email.md index 20eb584a..0a0197a9 100644 --- a/i18n/uk/email.md +++ b/i18n/uk/email.md @@ -22,19 +22,19 @@ global: Для всього іншого ми рекомендуємо різноманітні поштові сервіси, що базуються на стійких бізнес-моделях і мають вбудовані функції безпеки та конфіденційності. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## Сервіси, сумісні з OpenPGP -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. Наприклад, користувач Proton Mail може надіслати повідомлення E2EE користувачеві Mailbox.org, або ви можете отримувати сповіщення, зашифровані за допомогою OpenPGP, від інтернет-сервісів, які його підтримують. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. Наприклад, користувач Proton Mail може надіслати повідомлення E2EE користувачеві Mailbox.org, або ви можете отримувати сповіщення, зашифровані за допомогою OpenPGP, від інтернет-сервісів, які його підтримують.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Логотип Proton Mail](assets/img/email/protonmail.svg){ align=right } -**Proton Mail — це поштовий сервіс з акцентом на конфіденційності, шифруванні, безпеці та простоті використання. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail — це поштовий сервіс з акцентом на конфіденційності, шифруванні, безпеці та простоті використання. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Безкоштовні акаунти мають деякі обмеження, такі як відсутність можливості пошуку в основному тексті та доступу до [Proton Mail Bridge](https://proton.me/mail/bridge), який необхідний для використання [рекомендованого десктопного поштового клієнта](email-clients.md) (наприклад, Thunderbird). Платні акаунти включають такі функції, як Proton Mail Bridge, додаткове сховище та підтримку власних доменів. [Атестаційний лист](https://proton.me/blog/security-audit-all-proton-apps) для додатків Proton Mail було надано 9 листопада 2021 року компанією [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Платні акаунти включають такі функції, як Proton Mail Bridge, додаткове сховище та підтримку власних доменів. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +[Атестаційний лист](https://proton.me/blog/security-audit-all-proton-apps) для додатків Proton Mail було надано 9 листопада 2021 року компанією [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Proton Mail has internal crash reports that are **not** shared with third partie #### :material-check:{ .pg-green } Конфіденційні способи оплати -Proton Mail [приймає](https://proton.me/support/payment-options) готівку поштою на додаток до стандартних кредитних/дебетових карток, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) та платежі через PayPal. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Безпека облікового запису @@ -109,7 +113,7 @@ Proton Mail має [шифрування з нульовим доступом](h Proton Mail має [інтегроване OpenPGP шифрування](https://proton.me/support/how-to-use-pgp) у своїй електронній пошті. Електронні листи на інші акаунти Proton Mail шифруються автоматично, а шифрування на адреси, що не належать до Proton Mail, за допомогою ключа OpenPGP можна легко ввімкнути в налаштуваннях вашого акаунта. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. Це дозволяє людям, які не користуються Proton Mail, легко знайти OpenPGP ключі акаунтів Proton Mail для незалежного від провайдерів E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Деактивація облікового запису @@ -117,17 +121,17 @@ Proton Mail also publishes the public keys of Proton accounts via HTTP from thei #### :material-information-outline:{ .pg-blue } Додаткова функціональність -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail не пропонує функцію цифрової спадщини. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** — це поштовий сервіс, який прагне бути безпечним, не містить реклами та працює на 100% екологічно чистій енергії. Вони працюють з 2014 року. Mailbox.org базується в Берліні, Німеччина. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. Вони працюють з 2014 року. Mailbox.org базується в Берліні, Німеччина. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Конфіденційні способи оплати -Mailbox.org не приймає жодних криптовалют, оскільки їхній платіжний процесор BitPay призупинив роботу в Німеччині. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org не приймає жодних криптовалют, оскільки їхній платіжний процесор BitPay призупинив роботу в Німеччині. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Безпека облікового запису -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Веб-стандарти, такі як [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) на цей момент не підтримуються. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Безпека даних Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). Нові повідомлення, які ви отримуєте, будуть негайно зашифровані вашим публічним ключем. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. Для цієї інформації може бути більш доречною [окрема опція](calendar.md). +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Шифрування електронної пошти Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. Ця функція корисна, коли віддалений одержувач не має OpenPGP і не може розшифрувати копію листа у власній поштовій скриньці. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. Це дозволяє людям за межами Mailbox.org легко знаходити ключі OpenPGP акаунтів Mailbox.org для незалежного від провайдерів E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Деактивація облікового запису @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org також підтримує [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) на додаток до стандартних протоколів доступу, таких як IMAP і POP3. -Mailbox.org має функцію цифрової спадщини для всіх тарифних планів. Ви можете вибрати, чи хочете ви, щоб будь-які ваші дані були передані спадкоємцям, за умови, що вони подадуть заяву та нададуть ваш заповіт. Крім того, ви можете номінувати людину за ім'ям та адресою. +Mailbox.org має функцію цифрової спадщини для всіх тарифних планів. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Крім того, ви можете номінувати людину за ім'ям та адресою. ## Більше провайдерів @@ -195,7 +199,9 @@ Mailbox.org має функцію цифрової спадщини для вс ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Конфіденційні способи оплати -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Безпека облікового запису @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Безпека даних -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Це означає, що повідомлення та інші дані, які зберігаються у вашому акаунті, можете читати тільки ви. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). Це означає, що повідомлення та інші дані, які зберігаються у вашому акаунті, можете читати тільки ви. #### :material-information-outline:{ .pg-blue } Шифрування електронної пошти @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Самостійний хостинг електронної пошти Досвідчені системні адміністратори можуть розглянути можливість створення власного поштового сервера. Поштові сервери потребують уваги та постійного обслуговування, щоб забезпечити безпеку та надійність доставки пошти. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/uk/os/android-overview.md b/i18n/uk/os/android-overview.md index a0655863..0e8f750d 100644 --- a/i18n/uk/os/android-overview.md +++ b/i18n/uk/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr Програма додаткового захисту забезпечує посилений моніторинг загроз та вмикає: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Доступ до даних облікового запису можуть отримувати лише Google і перевірені сторонні програми - Сканування вхідних електронних листів в акаунтах Gmail на предмет [спроб фішингу](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ In the past, Android security updates had to be shipped by the operating system All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Вимкніть цю функцію, щоб обмежити збір даних про вас. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Перевірте diff --git a/i18n/vi/basics/account-creation.md b/i18n/vi/basics/account-creation.md index 0f45c8be..fd94a80a 100644 --- a/i18n/vi/basics/account-creation.md +++ b/i18n/vi/basics/account-creation.md @@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security, #### Email aliases -If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. @@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t ### "Sign in with..." (OAuth) -OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. The main advantages are: -- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). -- **Ease of use**: multiple accounts are managed by a single login. +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. But there are disadvantages: -- **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). diff --git a/i18n/vi/basics/email-security.md b/i18n/vi/basics/email-security.md index 9befa955..d3d0fd2e 100644 --- a/i18n/vi/basics/email-security.md +++ b/i18n/vi/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. ## Email Encryption Overview -The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## What is the Web Key Directory standard? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you. -If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). -If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method. +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### What Email Clients Support E2EE? -Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### How Do I Protect My Private Keys? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## Email Metadata Overview -Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. ### Who Can View Email Metadata? -Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. ### Why Can't Metadata be E2EE? -Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/vi/email-aliasing.md b/i18n/vi/email-aliasing.md index 5e4115cc..33cf29d4 100644 --- a/i18n/vi/email-aliasing.md +++ b/i18n/vi/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Framadate -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/vi/email-clients.md b/i18n/vi/email-clients.md index 91d77dbc..752f8e6d 100644 --- a/i18n/vi/email-clients.md +++ b/i18n/vi/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/vi/email.md b/i18n/vi/email.md index 9e84603d..65666220 100644 --- a/i18n/vi/email.md +++ b/i18n/vi/email.md @@ -22,19 +22,19 @@ Email is practically a necessity for using any online service, however we do not For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP Compatible Services -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). -OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the -Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,9 +121,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail doesn't offer a digital legacy feature. +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org @@ -127,7 +129,9 @@ Proton Mail doesn't offer a digital legacy feature. ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **Minimum to Qualify:** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### Privacy @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **Minimum to Qualify:** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### Security -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **Minimum to Qualify:** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **Minimum to Qualify:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/vi/os/android-overview.md b/i18n/vi/os/android-overview.md index f2086618..4ff9761a 100644 --- a/i18n/vi/os/android-overview.md +++ b/i18n/vi/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. -On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check diff --git a/i18n/zh-Hant/basics/account-creation.md b/i18n/zh-Hant/basics/account-creation.md index 4005547f..eead7edd 100644 --- a/i18n/zh-Hant/basics/account-creation.md +++ b/i18n/zh-Hant/basics/account-creation.md @@ -42,7 +42,7 @@ The Privacy Policy is how the service says they will use your data, and it is wo #### 電子郵件別名 -如果您不想將您的真實電子郵件地址提供給服務,您可以選擇使用別名。 我們在電子郵件服務推薦頁面上更詳細地描述了它們。 基本上,別名服務允許您生成新的電子郵件位址,將所有電子郵件轉發到您的主位址。 This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 這些可以根據它們被發送到的別名自動過濾。 +如果您不想將您的真實電子郵件地址提供給服務,您可以選擇使用別名。 We describe them in more detail on our email services recommendation page. 基本上,別名服務允許您生成新的電子郵件位址,將所有電子郵件轉發到您的主位址。 This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 這些可以根據它們被發送到的別名自動過濾。 如果服務遭到駭客攻擊,您用於註冊的電子郵件可能會收到網路釣魚或垃圾郵件。 為每個服務使用獨特的別名可以幫助確定哪些服務被駭。 @@ -50,19 +50,19 @@ The Privacy Policy is how the service says they will use your data, and it is wo ### "登入方式:" (OAuth) -OAuth 是一種驗證協定可在註冊服務時無須對供應商分享註冊資訊,而是利用在其它服務已有的註冊帳號來登入。 每當您在註冊表單上看到「登入方式: 使用 *提供商名稱*登入」時,它就是 OAuth。 +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. 每當您在註冊表單上看到「登入方式: 使用 *提供商名稱*登入」時,它就是 OAuth。 當您透由 OAuth 登入,它會開啟您所選的供應商登入頁面而您的帳戶即會與新帳戶連接。 我們不會分享你的密碼,但會分享一些基本資訊(你可以在登入期間要求查看)。 每次您想要登入同一個帳戶時,都需要進行此程序。 主要優勢是: -- **安全性**: 在儲存登入憑證時,無須信任所登入服務的安全實踐,因為它們是儲存在外部OAuth 提供者。使用 Apple 和 Google 等服務時,通常會遵循最佳安全實踐,持續審核其身份驗證系統,妥當儲存憑證(例如不會以純文字形式)。 -- **易用性**:多個帳戶由單一登入管理。 +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. 但也有一些缺陷: -- **隱私**: OAuth 讓您利用已註冊的服務作登入新服務。 -- **集中化**: 如果您使用的 OAuth 帳戶被駭或是無法利用它登入,與之連結的其它帳戶也會受到影響。 +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth 在那些服務之間深度整合情況下,可以特別有用。 我們建議將 OAuth 限制在需要的地方,用 [MFA](multi-factor-authentication.md)來保護主帳戶。 diff --git a/i18n/zh-Hant/basics/email-security.md b/i18n/zh-Hant/basics/email-security.md index cd440ecf..d7458b63 100644 --- a/i18n/zh-Hant/basics/email-security.md +++ b/i18n/zh-Hant/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -電子郵件本身即非安全的通訊形式。 You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +電子郵件本身即非安全的通訊形式。 You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. 因此,電子郵件最適合用於從您在線註冊的服務接收交易性電子郵件(如通知、驗證電子郵件、密碼重置等),而不是用於與他人溝通。 ## 郵件如何加密 -將 E2EE 添加到不同電子郵件提供商之間的電子郵件的標準方法是使用 OpenPGP。 OpenPGP 標準有不同的實現,最常見的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 +將 E2EE 添加到不同電子郵件提供商之間的電子郵件的標準方法是使用 OpenPGP。 There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -即使您使用OpenPGP ,它也不支援 [向前保密](https://en.wikipedia.org/wiki/Forward_secrecy),這意味著如果您或收件人的私鑰被盜,所有先前加密的消息都將被曝光。 這就是為什麼我們建議 [即時通訊](../real-time-communication.md) ,只要有可能,就實現電子郵件的前向保密性,以進行個人對個人的通信。 +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. 這就是為什麼我們建議 [即時通訊](../real-time-communication.md) ,只要有可能,就實現電子郵件的前向保密性,以進行個人對個人的通信。 -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## Web Key Directory 網頁金鑰目錄標準介紹 @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email 除了我們推薦的[電子郵件用戶端](../email-clients.md)支援 WKD外,一些網頁郵件供應商也支援 WKD。 *自己的*金鑰是否發佈到 WKD 供其他人使用取決於網域配置。 如果使用支援 WKD 的[電子郵件提供者](../email.md#openpgp-known-services),例如 Proton Mail 或 Mailbox.org,他們可以在其網站上發布您網域名所準備的 OpenPGP 金鑰。 -如果使用自訂網域,則需另外設定 WKD。 如果你可控制自定域名,則無論電子郵件提供者為何,都可以設定 WKD。 一個簡單的方法是使用 [WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service) 功能,透過指向`wkd.keys.openpgp.org` 網域的`openpgpkey` 子網域來設定CNAME記錄,然後將金鑰上傳到 [keys.openpgp.org](https://keys.openpgp.org) 。 或者你可以 [在自己的 Web 伺服器搭建 WKD](https://wiki.gnupg.org/WKDHosting) 。 +如果使用自訂網域,則需另外設定 WKD。 如果你可控制自定域名,則無論電子郵件提供者為何,都可以設定 WKD。 One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). 或者你可以 [在自己的 Web 伺服器搭建 WKD](https://wiki.gnupg.org/WKDHosting) 。 -如使用不支援 WKD 供應商的共用網域(例如 @gmail.com),則無法透過此方法與其他人共用你的 OpenPGP 金鑰。 +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### 哪些郵件客戶端支援 E2EE? -電子郵件服務供應商讓您能使用標準訪問協議如 IMAP 與SMTP,以便應用[我們推薦的電子郵件客戶端軟體](../email-clients.md)。 安全性則視驗證方法而定,如果提供者或電子郵件用戶端不支援 OATH 或橋接應用程式,這可能會導致安全性降低,因為在純密碼驗證環境下無法使用[多重要素驗證](multi-factor-authentication.md)。 +電子郵件服務供應商讓您能使用標準訪問協議如 IMAP 與SMTP,以便應用[我們推薦的電子郵件客戶端軟體](../email-clients.md)。 Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### 我該如何保護自己的私鑰? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## 電子郵件元資料概覽 -電子郵件中繼資料儲存在電子郵件的 [個訊息標題](https://en. wikipedia. org/wiki/Email#Message_header) 中,並包含您可能已經看到的一些可見標題,例如: `To`、 `From`、 `Cc`、 `Date`、 `Subject`。 許多電子郵件客戶端和提供商還包含一些隱藏的標題,可以揭示有關您的帳戶的信息。 +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. 許多電子郵件客戶端和提供商還包含一些隱藏的標題,可以揭示有關您的帳戶的信息。 客戶端軟體可能會使用電子郵件中繼資料來顯示來自誰以及收到訊息的時間。 伺服器可以使用它來確定電子郵件消息必須發送的位置,其中 [個其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 並不總是透明的。 ### 誰可以查看電子郵件中繼資料? -電子郵件元數據受到外部觀察者的保護, [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) 保護它免受外部觀察者的影響,但它仍然能夠被您的電子郵件客戶端軟體(或網路郵件)和任何伺服器看到,將您的消息轉發給任何收件人,包括您的電子郵件提供商。 有時,電子郵件伺服器也會使用第三方服務來防範垃圾郵件,垃圾郵件通常也可以訪問您的郵件。 +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. 有時,電子郵件伺服器也會使用第三方服務來防範垃圾郵件,垃圾郵件通常也可以訪問您的郵件。 ### 爲什麼元數據不能是E2EE ? -電子郵件元數據對於電子郵件最基本的功能(它來自何處,以及它必須去向何處)至關重要。 E2EE 最初並未內建於電子郵件協議中,而是需要像 OpenPGP 這樣的附加軟體。 Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +電子郵件元數據對於電子郵件最基本的功能(它來自何處,以及它必須去向何處)至關重要。 E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/zh-Hant/email-aliasing.md b/i18n/zh-Hant/email-aliasing.md index c88d341d..61733f41 100644 --- a/i18n/zh-Hant/email-aliasing.md +++ b/i18n/zh-Hant/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: 監控資本主義](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: 公共暴露](basics/common-threats.md#limiting-public-information){ .pg-green } -**電子郵件別名服務** 可讓您輕鬆地為每個註冊的網站產生一個新的電子郵件地址。 電子郵件別名會自動把郵件轉發到所選擇的電子郵件地址,以隱藏「主要」電子郵件地址和 [電子郵件提供商](email.md)。 真正的電子郵件別名比許多提供商常用和支援的加號地址(plus addressing)更好,可自行創建別名,如:「yourname +[anythinghere]@example.com」,而這可避免網站,廣告商和跟蹤網路簡單地刪除+符號之後的任何內容,以知道使用者真實電子郵件地址。 [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) 等組織要求廣告商 [規範化電子郵件地址](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) ;如此一來無論使用者的隱私意願如何,都可以關聯和追蹤它們。 +**電子郵件別名服務** 可讓您輕鬆地為每個註冊的網站產生一個新的電子郵件地址。 電子郵件別名會自動把郵件轉發到所選擇的電子郵件地址,以隱藏「主要」電子郵件地址和 [電子郵件提供商](email.md)。 + +電子郵件別名還可以在您的電子郵件供應商停止運作時提供保障。 在這種情況下,可輕鬆地將別名設定轉發給新的電子郵件地址。 但反過來,您也需要信任別名服務能夠持續運作。 + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +真正的電子郵件別名比許多提供商常用和支援的加號地址(plus addressing)更好,可自行創建別名,如:「yourname +[anythinghere]@example.com」,而這可避免網站,廣告商和跟蹤網路簡單地刪除+符號之後的任何內容,以知道使用者真實電子郵件地址。 [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) 等組織要求廣告商 [規範化電子郵件地址](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) ;如此一來無論使用者的隱私意願如何,都可以關聯和追蹤它們。 + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- 有需要時,可以單獨開啟和關閉別名,防止網站隨機發送電子郵件給您。 +- 從別名地址發送回覆,屏蔽真實電子郵件地址。 + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- 別名是永久性的,如果您需要接收密碼重設等內容,可以再次開啟別名。 +- 電子郵件會發送到您信任的郵箱,而不是儲存在別名服務提供者。 +- 臨時電子郵件服務通常會有公共郵箱,任何知道地址的人都可以訪問,別名則個人所私有的。 + +## 推薦的提供商
@@ -19,20 +46,7 @@ cover: email-aliasing.webp
-電子郵件別名還可以在您的電子郵件供應商停止運作時提供保障。 在這種情況下,可輕鬆地將別名設定轉發給新的電子郵件地址。 但反過來,您也需要信任別名服務能夠持續運作。 - -使用專門的電子郵件別名服務比自定網域上的通用別名有許多好處: - -- 有需要時,可以單獨開啟和關閉別名,防止網站隨機發送電子郵件給您。 -- 從別名地址發送回覆,屏蔽真實電子郵件地址。 - -與「臨時電子郵件」服務相比,它們還有許多好處: - -- 別名是永久性的,如果您需要接收密碼重設等內容,可以再次開啟別名。 -- 電子郵件會發送到您信任的郵箱,而不是儲存在別名服務提供者。 -- 臨時電子郵件服務通常會有公共郵箱,任何知道地址的人都可以訪問,別名則個人所私有的。 - -我們所推薦的電子郵件別名提供商可讓您在他們所控制的網域名稱上建立別名;也可在您自己的自訂網域名稱上建立別名,而只需支付適度的年費。 如果想要最大限度的控制,也可以自主託管。 但是,使用自定網域可能會有隱私上的缺點:如果自己是唯一使用該自定網域的人,只需查看電子郵件地址中的網域名稱並忽略 (@) 符號之前的所有內容,即可輕鬆跟蹤您的動作。 +我們所推薦的電子郵件別名提供商可讓您在他們所控制的網域名稱上建立別名;也可在您自己的自訂網域名稱上建立別名,而只需支付適度的年費。 如果想要最大限度的控制,也可以自主託管。 However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. 使用別名服務代表您需要同時信任您的電子郵件供應商和您的別名供應商,讓他們處理您未加密的郵件。 有些提供商會透過自動 PGP 加密[^1] 稍微緩解這個問題,在傳送至您最終的電子信箱供應商之前,先將收到的電子郵件加密,將您需要信任的對象從兩個減少到一個。 @@ -42,29 +56,31 @@ cover: email-aliasing.webp ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). -[:octicons-home-16: 首頁](https://addy.io){ .md-button .md-button--primary } -[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="隱私權政策" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=說明文件} -[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="原始碼" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=捐款 } +[:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
下載 -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -可建立無限的標準別名,這些別名以 @[username].addy.io 等網域或付費方案自訂網域結尾。 付費帳戶可建立無數的標準別名如尾綴為 @[username]. 或是自定域名。不過如前面提過,標準別名電郵並不利於隱私,因為只依據域名就可以簡單地把別名綁定起來。 當共用網域名服務封鎖此功能時,它就派得上用場了。 Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. 付費帳戶可建立無數的標準別名如尾綴為 @[username]. 或是自定域名。不過如前面提過,標準別名電郵並不利於隱私,因為只依據域名就可以簡單地把別名綁定起來。 當共用網域名服務封鎖此功能時,它就派得上用場了。 + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). 值得注意的免費功能: @@ -84,10 +100,10 @@ The number of shared aliases (which end in a shared domain like @addy.io) that y **SimpleLogin** 是免費服務,可在各種共享域名上提供電子郵件別名,並可選擇提供無限別名和自訂域名等付費功能。 -[:octicons-home-16: 首頁](https://simplelogin.io){ .md-button .md-button--primary } -[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="隱私權政策" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=說明文件} -[:octicons-code-16:](https://github.com/simple-login){ .card-link title="原始碼" } +[:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
下載 @@ -97,18 +113,18 @@ The number of shared aliases (which end in a shared domain like @addy.io) that y - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin 在2022 年 4月8日[已被 Proton AG 收購](https://proton.me/news/proton-and-simplelogin-join-forces)。 如果主要電子郵箱使用 Proton Mail, SimpleLogin是一個不錯的選擇。 這兩種產品現在都由同一家公司擁有,您只需要信任單一實體。 我們預計 SimpleLogin 未來會與 Proton 產品更緊密地整合。 SimpleLogin 繼續支援轉寄至您所選擇的任何電子郵件供應商。 Securitum 在 2022 年初[審核](https://simplelogin.io/blog/security-audit) SimpleLogin,所有問題[均已改善](https://simplelogin.io/audit2022/web.pdf)。 +SimpleLogin 在2022 年 4月8日[已被 Proton AG 收購](https://proton.me/news/proton-and-simplelogin-join-forces)。 如果主要電子郵箱使用 Proton Mail, SimpleLogin是一個不錯的選擇。 這兩種產品現在都由同一家公司擁有,您只需要信任單一實體。 我們預計 SimpleLogin 未來會與 Proton 產品更緊密地整合。 SimpleLogin 繼續支援轉寄至您所選擇的任何電子郵件供應商。 -可在設定中將 SimpleLogin 帳戶與 Proton 帳戶作連結。 If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +可在設定中將 SimpleLogin 帳戶與 Proton 帳戶作連結。 If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum 在 2022 年初[審核](https://simplelogin.io/blog/security-audit) SimpleLogin,所有問題[均已改善](https://simplelogin.io/audit2022/web.pdf)。 值得注意的免費功能: @@ -121,6 +137,6 @@ You can also purchase a voucher code for SimpleLogin Premium anonymously via the ## 標準 -**請注意,我們與所推薦的服務提供商並無任何關係。** 除了 [我們的常規標準](about/criteria.md) 之外,在適用的情況下,我們對電子郵件別名提供商的標準與 [電子郵件提供商](email.md#criteria) 的標準相同。 建議在選擇電子郵件提供商之前熟悉此列表,並進行自己的研究,以確保選出正確適合的電子郵件提供商。 +**請注意,我們與所推薦的服務提供商並無任何關係。** 除了 [我們的常規標準](about/criteria.md) 之外,在適用的情況下,我們對電子郵件別名提供商的標準與 [電子郵件提供商](email.md#criteria) 的標準相同。 We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: 自動 PGP 加密功能可讓您的電子郵箱別名供應商在收到未加密的電子郵件傳入並轉寄到您的主要電子信箱之前先將其加密,確保您的主要電子信箱供應商永遠不會看到未加密的電子郵件內容。 diff --git a/i18n/zh-Hant/email-clients.md b/i18n/zh-Hant/email-clients.md index 28232a04..c7eda5b2 100644 --- a/i18n/zh-Hant/email-clients.md +++ b/i18n/zh-Hant/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: 服務提供商](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: 針對性攻擊](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -我們推薦的**電子郵件客戶端**同時支援 [OpenPGP](encryption.md#openpgp) 和比較強的驗證,例如 [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth)。 OAuth 允許您使用[多因素驗證](basics/multi-factor-authentication.md),以防止帳號盜用。 +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth 允許您使用[多因素驗證](basics/multi-factor-authentication.md),以防止帳號盜用。
電子郵件不提供前向保密 diff --git a/i18n/zh-Hant/email.md b/i18n/zh-Hant/email.md index 39cc8414..d00234dc 100644 --- a/i18n/zh-Hant/email.md +++ b/i18n/zh-Hant/email.md @@ -22,19 +22,19 @@ global: 除此之外,我們還推薦各種基於可持續商業模式和內建安全和隱私功能的電子郵件提供商。 閱讀我們[完整的標準清單](#criteria),瞭解更多資訊。 -| 供應商 | OpenPGP / WKD | IMAP / SMTP | 零存取加密 | 匿名付款方式 | -| --------------------------- | -------------------------------------- | ------------------------------------------------- | ------------------------------------------------- | ------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 僅提供付費版 | :material-check:{ .pg-green } | 現金 | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 限 Mail | 現金 | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | 透過第三方 Monero & Cash | +| 供應商 | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ------------------------------------------------- | ------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 僅提供付費版 | :material-check:{ .pg-green } | 現金 | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } 限 Mail | 現金 | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -除(或代替)此處推薦的電子郵件提供者之外,可能還希望考慮使用專門的[電子郵件別名服務](email-aliasing.md)來保護隱私。 除此之外,這些服務有助於保護真實收件匣免受垃圾郵件的侵害,防止行銷人員關聯您的帳戶,並使用 PGP 加密所有傳入的訊息。 +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. 除此之外,這些服務有助於保護真實收件匣免受垃圾郵件的侵害,防止行銷人員關聯您的帳戶,並使用 PGP 加密所有傳入的訊息。 - [更多資訊 :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP 兼容服務 -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. 例如, Proton Mail 用戶可以向 Mailbox.org 用戶發送 E2EE 消息,或者您可以從它支援的網際網路服務接收 OpenPGP 加密通知。 +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. 例如, Proton Mail 用戶可以向 Mailbox.org 用戶發送 E2EE 消息,或者您可以從它支援的網際網路服務接收 OpenPGP 加密通知。
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key 當使用像 OpenPGP 這類 E2EE 技術時,電子郵件仍然會有一些元數據無法加密如主旨列。 了解更多[電子郵件元數據](basics/email-security.md#email-metadata-overview). -OpenPGP 也不支持前向保密,這意味著如果你或收件人的私鑰被盜,以前所有用它加密的訊息都會洩露。 [[如何保護我的私鑰?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ OpenPGP 也不支持前向保密,這意味著如果你或收件人的私鑰被 ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } -**Proton Mail** 是一個專注於隱私、加密、安全性和易用性的電子郵件服務。 他們自 2013 年起開始營運。 Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +**Proton Mail** 是一個專注於隱私、加密、安全性和易用性的電子郵件服務。 他們自 2013 年起開始營運。 Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: 首頁](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="洋蔥服務" } @@ -81,9 +85,9 @@ OpenPGP 也不支持前向保密,這意味著如果你或收件人的私鑰被 -免費帳戶有一些功能限制,例如無法搜尋郵件正文內容,也無法無法使用 [Proton Mail Bridge](https://proton.me/mail/bridge);後者是使用[建議的桌面郵件客戶端](email-clients.md) (例如 Thunderbird) 所需的。 付費帳戶包括 Proton Mail Bridge、額外儲存空間和自訂網域支援等功能。 Proton Mail 應用程式於 2021 年 11 月 9 日由 [Securitum](https://research.securitum.com) 提供[認證函](https://proton.me/blog/security-audit-all-proton-apps) 。 +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). 付費帳戶包括 Proton Mail Bridge、額外儲存空間和自訂網域支援等功能。 如果您有訂閱 Proton Unlimited 或任何多使用者的 Proton 方案,您也可以免費獲得 [SimpleLogin](email-aliasing.md#simplelogin) Premium。 -如果您有訂閱 Proton Unlimited 或任何多使用者的 Proton 方案,您也可以免費獲得 [SimpleLogin](email-aliasing.md#simplelogin) Premium。 +Proton Mail 應用程式於 2021 年 11 月 9 日由 [Securitum](https://research.securitum.com) 提供[認證函](https://proton.me/blog/security-audit-all-proton-apps) 。 Proton Mail 的內容崩潰報告**不會**對其它第三方分享。 可以在 web app 下取消,作法: :gear: → **所有設定** → **帳號** → **安全與隱私** → **隱私與資料蒐集**. @@ -93,7 +97,7 @@ Proton Mail 的內容崩潰報告**不會**對其它第三方分享。 可以在 #### :material-check:{ .pg-green } 私密付款方式 -Proton Mail 除了[支援](https://proton.me/support/payment-options)郵寄現金外,還接受信用卡/簽帳卡、[Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) 和 PayPal 付款。 +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } 帳號安全 @@ -109,7 +113,7 @@ Proton Mail 使用「[零存取加密技術](https://proton.me/blog/zero-access- Proton Mail 網頁郵件整合了 [OpenPGP 加密](https://proton.me/support/how-to-use-pgp) 。 發送到其他 Proton Mail 帳號的電子郵件會自動加密,並且可以在您的帳號設定中輕鬆啟用「使用 OpenPGP 金鑰對非 Proton Mail 位址進行加密」。 Proton also supports automatic external key discovery with WKD. 因此發送到使用 WKD 的其他供應商的電子郵件也將使用 OpenPGP 自動加密,無需與聯絡人手動交換公共 PGP 金鑰。 它可以 [加密非 Proton Mail 郵件位址的訊息](https://proton.me/support/password-protected-emails),不必非得使用帶 OpenPGP 的 Proton Mail 帳戶。 -Proton Mail 也透過 HTTP 從其 WKD 發布 Proton 帳戶的公鑰。 這可讓非 Proton Mail 使用者可以輕鬆找到 Proton Mail 帳戶的 OpenPGP 金鑰,以利跨供應商進行 E2EE 。 這僅限於使用 Proton 自身網域別名 (例如 @proton.me) 的電子郵件。 如果使用自定域名,則須另行[設定 WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) 。 +Proton Mail 也透過 HTTP 從其 WKD 發布 Proton 帳戶的公鑰。 This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } 終止帳號 @@ -117,17 +121,17 @@ Proton Mail 也透過 HTTP 從其 WKD 發布 Proton 帳戶的公鑰。 這可讓 #### :material-information-outline:{ .pg-blue } 額外功能 -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail 不提供數字遺產功能。 +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org 標誌](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org** 電子郵件服務,專注於安全、無廣告和使用 100% 民間環保發電能源。 自 **2014 年** 開始運營。 Mailbox.org 總部位於德國柏林。 Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. 自 **2014 年** 開始運營。 Mailbox.org 總部位於德國柏林。 + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: 首頁](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="隱私權政策" } @@ -148,23 +152,23 @@ Mailbox.org 可使用自定域名,且支援 [catch-all](https://kb.mailbox.org #### :material-check:{ .pg-green } 私人付款方式 -Mailbox.org 不接受任何加密貨幣,因為他們的支付處理商 BitPay 暫停了德國業務。 However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org 不接受任何加密貨幣,因為他們的支付處理商 BitPay 暫停了德國業務。 However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } 帳號安全 -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. 您可以使用 TOTP 或通過 [YubiKey](https://en.wikipedia.org/wiki/YubiKey) 來使用 [YubiCloud](https://yubico.com/products/services-software/yubicloud) 進行雙重認證. Web 標準如 [WebAuthn ](https://en.wikipedia.org/wiki/WebAuthn) 尚不支援。 +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. 您可以使用 TOTP 或通過 [YubiKey](https://en.wikipedia.org/wiki/YubiKey) 來使用 [YubiCloud](https://yubico.com/products/services-software/yubicloud) 進行雙重認證. Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } 資料安全 Mailbox.org 允許使用 [加密郵箱](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox)對傳入郵件進行加密。 收到的新訊息將立即用您的公鑰加密。 -不迥 Mailbox.org 使用的軟體平台 [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange)[不支援](https:// kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book)通訊錄和行事曆加密。 [獨立的選項](calendar.md) 可能更適合該資訊。 +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } 電子郵件加密 Mailbox.org 在他們的網頁郵件中 [整合了加密功能](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) ,這簡化了向具有公開OpenPGP金鑰的人發送訊息。 它們也讓遠端收件者可以在 Mailbox.org 的伺服器上[解密電子郵件](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp)。 當遠端收件人沒有 OpenPGP 無法解密自己郵箱中的電子郵件時,此功能非常有用。 -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. 因此其它人可以輕鬆找到 Mailbox.org 帳戶的 OpenPGP 金鑰,便於跨提供者使用 E2EE。 這僅限於使用 Mailbox.org 自身網域(例如 @mailbox.org) 的電子郵件。 如果使用自定域名,則須另行[設定 WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) 。 +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } 終止帳號 @@ -176,7 +180,7 @@ Mailbox.org also supports the discovery of public keys via HTTP from their WKD. 所有帳號都附帶有限的[可以加密](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive)雲端儲存空間 。 Mailbox.org 還提供別名 [@ secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely),它對郵件伺服器之間的連線強制進行TLS加密,否則根本不會發送訊息。 Mailbox.org 除了支援 IMAP 和 POP3 等標準存取通訊協議外,還支援 [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) 。 -Mailbox.org 所有方案都提供了數位遺產功能。 你可以選擇是否要將任何資料傳遞給繼承人,但對方必須提出你的遺囑證明。 或者,您可以透過姓名和位址提出人選。 +Mailbox.org 所有方案都提供了數位遺產功能。 You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. 或者,您可以透過姓名和位址提出人選。 ## 更多供應商 @@ -195,7 +199,9 @@ Mailbox.org 所有方案都提供了數位遺產功能。 你可以選擇是否 ![Tuta 標誌](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta 標誌](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (前身為 *Tutanota*) 是一項透過使用加密技術,著重於安全性與隱私權的電子郵件服務。 Tuta 自 2011 年開始營運,總部位於德國漢諾威。 Free accounts start with 1 GB of storage. +**Tuta** (前身為 *Tutanota*) 是一項透過使用加密技術,著重於安全性與隱私權的電子郵件服務。 Tuta 自 2011 年開始營運,總部位於德國漢諾威。 + +Free accounts start with 1 GB of storage. [:octicons-home-16: 首頁](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="隱私權政策" } @@ -226,7 +232,7 @@ Tuta 不支援 [ IMAP 協議](https://tuta.com/support#imap) 或使用第三方 #### :material-information-outline:{ .pg-blue } 私密付款方式 -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } 帳號安全 @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } 資料安全 -Tuta 為郵件、 [通訊錄位址聯絡人](https://tuta.com/support#encrypted-address-book)以及[行事曆](https://tuta.com/support#calendar)提供[零存取加密](https://tuta.com/support#what-encrypted) 。 這意味著儲存在您帳戶中的訊息和其他資料只有您能讀取。 +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). 這意味著儲存在您帳戶中的訊息和其他資料只有您能讀取。 #### :material-information-outline:{ .pg-blue } 電子郵件加密 @@ -248,8 +254,6 @@ Tuta [刪除六個月未登入使用的免費帳戶](https://tuta.com/support#in Tuta 向非營利組織提供免費 [商業版本](https://tuta.com/blog/secure-email-for-non-profit) 或大幅折扣。 -Tuta 不提供數位遺產功能。 - ## 自主託管電子郵件 進階系統管理員可以考慮設定自己的電子郵件伺服器。 郵件伺服器需要注意和持續維護,以確保安全性和郵件傳遞的可靠性。 In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,52 +319,53 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit **最低合格要求:** -- 使用零存取加密技術全程加密電子郵件帳戶資料。 -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- 在自有基礎設施上運作,即不建立在第三方電子郵件服務提供商之上。 - -**最佳案例:** - -- 使用零存取加密帳戶全部資料(聯絡人、行事曆等)。 -- 網頁郵件整合 E2EE/PGP加密以更方便使用。 -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG 使用者可以透過輸入: `gpg --locate-key example_user@example.com` 取得金鑰。 -- 支援外部使用者的臨時信箱。 當您想要發送加密的電子郵件時,這非常有用,而無需將實際副本發送給您的收件人。 這些電子郵件通常具有限定時效,之後會被自動刪除。 它們也不需要收件人配置任何像OpenPGP這樣的加密技術。 -- 可提供 [onion 服務](https://en.wikipedia.org/wiki/.onion)的電子郵件服務供應商。 -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 自定網域名稱對用戶來說很重要,因為它允許用戶在使用服務時仍維持持自我代理,以防服務變差或被另一家不優先考慮隱私的公司收購。 -- Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. - -### 隱私 - -我們希望所推薦的提供商盡可能少地收集客戶資料。 - -**最低合格要求:** - -- 保護寄件者的 IP 位址,包括過濾它,使其不顯示在`接收`標頭欄位中。 -- 除了使用者名稱和密碼外,不要求提供個人身份識別資訊(PII)。 -- 隱私政策符合 GDPR 之要求。 +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 自定網域名稱對用戶來說很重要,因為它允許用戶在使用服務時仍維持持自我代理,以防服務變差或被另一家不優先考慮隱私的公司收購。 +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **最佳情況:** -- 接受 [匿名付款選項](advanced/payments.md) ([加密貨幣](cryptocurrency.md),現金,禮品卡等) -- 託管在有強力法律保障隱私的司法管轄區。 +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- 支援外部使用者的臨時信箱。 This is useful when you want to send an encrypted email without sending an actual copy to your recipient. 這些電子郵件通常具有限定時效,之後會被自動刪除。 它們也不需要收件人配置任何像OpenPGP這樣的加密技術。 +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). 自定網域名稱對用戶來說很重要,因為它允許用戶在使用服務時仍維持持自我代理,以防服務變差或被另一家不優先考慮隱私的公司收購。 +- Catch-all or alias functionality for those who use their own domains. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). -### 安全 +### 隱私 -電子郵件伺服器處理大量非常敏感的資料。 我們期望供應商會採用最佳的業界實務,以保護其客戶。 +我們希望所推薦的供應商收集越少資料越好。 **最低合格要求:** -- 使用雙重驗證 (例如 TOTP) 保護 Webmail。 -- 零存取加密,建立在靜態加密的基礎上。 提供者沒有其所持有資料的解密金鑰。 這可防止惡意員工洩露他們存取的資料,或遠端敵人透過未經授權存取伺服器來釋放他們竊取的資料。 +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. + +**最佳情況:** + +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. + +### 安全 + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. + +**最低合格要求:** + +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. 提供者沒有其所持有資料的解密金鑰。 這可防止惡意員工洩露他們存取的資料,或遠端敵人透過未經授權存取伺服器來釋放他們竊取的資料。 - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) 支援。 - 使用 [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh) 或 [Qualys SSL Labs](https://ssllabs.com/ssltest) 等工具沒發現 TLS 錯誤或漏洞; 這包括與憑證相關的錯誤和弱 DH 參數,例如 [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)) 錯誤。 -- 伺服器套件偏好設定 (TLSv1.3 為選用),適用於支援前向保密和認證加密的強密碼套件。 +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - 有效的 [MTA-STS](https://tools.ietf.org/html/rfc8461) 和[TLS-RPT](https://tools.ietf.org/html/rfc8460) 政策。 - 有效 [ DANE ](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) 紀錄。 - 有效的 [SPF ](https://en.wikipedia.org/wiki/Sender_Policy_Framework) 和 [ DKIM ](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) 記錄。 -- 擁有適當的 [DMARC ](https://en.wikipedia.org/wiki/DMARC) 記錄和原則,或使用 [ ARC ](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) 進行驗證。 如果正在使用 DMARC 驗證,則必須將原則設定為 `拒絕` 或 `隔離`。 +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. 如果正在使用 DMARC 驗證,則必須將原則設定為 `拒絕` 或 `隔離`。 - 伺服器套件最好為 TLS 1.2或更高版本以及 [ RFC8996](https://datatracker.ietf.org/doc/rfc8996)計劃。 - 假設使用SMTP,[SMTPS](https://en.wikipedia.org/wiki/SMTPS) 提交。 - 網站安全標準,例如: @@ -368,12 +373,12 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit - 如果從外部網域加載東西時,[子資源完整性](https://en.wikipedia.org/wiki/Subresource_Integrity) 。 - 必須支援檢視[郵件標頭](https://en.wikipedia.org/wiki/Email#Message_header),因為這是判斷電子郵件是否為釣魚嘗試的重要取證功能。 -**最佳案例:** +**最佳情況:** -- 支援硬體驗證,即 U2F 和 [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)。 +- Should support hardware authentication, i.e. U2F 和 [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)。 - [DNS 憑證授權機構授權 (CAA) 資源記錄](https://tools.ietf.org/html/rfc6844) 除了 DANE 支援外。 -- [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) 的實作,這對於在郵件列表 [RFC8617](https://tools.ietf.org/html/rfc8617) 發佈文章的人很有用。 -- 由信譽良好的第三方公司公布的安全審計。 +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - 漏洞獎勵計劃和/或協調漏洞披露過程。 - 網站安全標準,例如: - [內容安全策略(CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -381,36 +386,33 @@ Stalwart does **not** have an integrated webmail, so you will need to use it wit ### 信任 -您不會把財務資料給身份作假的人,那麼為什麼會信任讓他們來使用您的電子郵件? 我們要求我們推薦的供應商公開其所有權或領導層級狀況。 我們也希望看到頻繁的透明度報告,特別是關於如何處理政府要求的報告。 +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? 我們要求推薦的供應商公開其所有權或領導層級狀況。 我們也希望能夠看到經常性的透明度報告,尤其是如何處理政府要求的部份。 **最低合格要求:** - 面向公眾的領導或所有權。 -**最佳案例:** +**最佳情況:** - 頻繁的透明度報告。 ### 行銷 -對於我們推薦的電子郵件供應商,我們希望看到負責任的行銷。 +With the email providers we recommend, we like to see responsible marketing. **最低合格要求:** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -不得有任何不負責任的行銷行為,可能包括下列內容: - -- 聲稱「無法破解的加密」。 使用加密時應考慮到,當未來有破解技術時,加密可能就不是秘密了。 -- 保證 100% 匿名性保護。 當有人宣稱某件事是 100% 時,這表示沒有失敗的把握。 我們知道人們可以透過許多方式輕易地解除匿名,例如: - - - 重複使用他們在沒有使用匿名軟體 (Tor、VPN 等) 的情況下存取的個人資訊,例如 (電子郵件帳號、獨特假名等) - - [瀏覽器指紋](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [瀏覽器指紋](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **最佳情況:** -- 針對設定雙重驗證、電子郵件用戶端、OpenPGP 等任務,提供簡單好懂的說明文件。 +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### 附加功能 -雖然不是嚴格要求,但我們在決定推薦哪些提供商時還會考慮其他一些便利或隱私因素。 +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/zh-Hant/os/android-overview.md b/i18n/zh-Hant/os/android-overview.md index 9e730e86..5d9dcd93 100644 --- a/i18n/zh-Hant/os/android-overview.md +++ b/i18n/zh-Hant/os/android-overview.md @@ -132,7 +132,7 @@ Android 7 及以上版本支援 VPN kill switch,無需安裝第三方應用程 進階防護計劃提供強化的威脅監控,並能夠: -- 更嚴格的雙重認證;例如,**必須**使用 [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online),且不允許使用 [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa)、[TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) 和 [OAuth](https://en.wikipedia.org/wiki/OAuth)。 +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - 只有 Google 和經過驗證的第三方應用程式才能存取帳戶資料 - 掃描 Gmail 帳戶收到的電子郵件,以防[釣魚嘗試](https://en.wikipedia.org/wiki/Phishing#Email_phishing) - 使用 Google Chrome 進行更嚴格的[安全瀏覽器掃描](https://google.com/chrome/privacy/whitepaper.html#malware) @@ -154,7 +154,9 @@ Android 7 及以上版本支援 VPN kill switch,無需安裝第三方應用程 所有安裝 Google Play 服務的裝置都會自動產生 [廣告ID](https://support.google.com/googleplay/android-developer/answer/6048248) ,用於定向廣告。 禁用此功能以限制其收集您的資料。 -在具有 [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play)的Android 版上,前往 :gear: **設定** → **應用程式** → **Sandboxed Google Play** → **Google 設定** → **廣告**,然後選擇 *刪除廣告ID*。 +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. 查看 diff --git a/i18n/zh/basics/account-creation.md b/i18n/zh/basics/account-creation.md index 9b75b732..b585924e 100644 --- a/i18n/zh/basics/account-creation.md +++ b/i18n/zh/basics/account-creation.md @@ -42,7 +42,7 @@ The Privacy Policy is how the service says they will use your data, and it is wo #### 邮箱别名 -如果你不想把你的真实电子邮件地址提供给一个服务,你可以选择使用一个别名。 我们在我们的电子邮件服务推荐页面上对它们进行了更详细的描述。 本质上,别名服务允许你生成新的电子邮件地址,将所有电子邮件转发到你的主地址。 This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 这些可以根据它们被发送到的别名自动过滤。 +如果你不想把你的真实电子邮件地址提供给一个服务,你可以选择使用一个别名。 We describe them in more detail on our email services recommendation page. 本质上,别名服务允许你生成新的电子邮件地址,将所有电子邮件转发到你的主地址。 This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. 这些可以根据它们被发送到的别名自动过滤。 如果一项服务被黑客攻击,你可能会开始收到钓鱼或垃圾邮件到你用来注册的地址。 为每项服务使用独特的别名,可以帮助准确识别什么服务被黑。 @@ -50,19 +50,19 @@ The Privacy Policy is how the service says they will use your data, and it is wo ### “通过……登录” (OAuth) -OAuth是一种认证协议,它允许你在不与服务提供商共享太多信息的情况下(如果有的话),通过使用你在另一项服务中已有的账户来注册新服务。 每当你在注册表单上看到类似“通过*提供商名称*登录”的内容时,通常就是在使用OAuth。 +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. 每当你在注册表单上看到类似“通过*提供商名称*登录”的内容时,通常就是在使用OAuth。 当你通过OAuth登录时,它会打开一个登录页面,你选择的提供商和你现有的账户以及新账户将会被连接起来。 你的密码不会共享,但一些基本信息通常会共享(你可以在登录请求期间审查它) 每次你想登录同一个账户时,都需要这个过程。 主要的优点是: -- **安全性**:当涉及到存储登录凭证时,你不必信任你正在登录的服务的安全实践,因为这些凭证是存储在外部OAuth提供商那里的。对于像苹果和谷歌这样的服务来说,它们通常遵循最佳的安全实践,持续审计其认证系统,并且不会不适当地存储凭证(例如以明文形式)。 -- **易用性**:多个账户由一个登录账号管理。 +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. 但也有弊端: -- **隐私**:你使用的OAuth提供商将知道你使用的服务。 -- **集中化**:如果你用于OAuth的账户被泄露,或者你无法登录该账户,所有与之连接的其他账户都会受到影响。 +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. OAuth在需要服务之间更深入整合的情况下特别有用。 我们的建议是仅在需要时使用OAuth,并始终使用多因素认证 [MFA](multi-factor-authentication.md) 保护主账户。 diff --git a/i18n/zh/basics/email-security.md b/i18n/zh/basics/email-security.md index f9ee0552..5e572fa7 100644 --- a/i18n/zh/basics/email-security.md +++ b/i18n/zh/basics/email-security.md @@ -5,17 +5,17 @@ icon: material/email description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. --- -电子邮件在默认情况下是一种不安全的通信形式。 You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. +电子邮件在默认情况下是一种不安全的通信形式。 You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. 因此,电子邮件最好用于接收来自你在线注册的服务的交易性邮件(如通知、验证邮件、密码重置等),而不是用于与他人交流。 ## 电子邮件加密概述 -在不同的电邮供应商之间为电子邮件添加端到端加密的标准方法是使用OpenPGP。 OpenPGP标准有不同的实现方式,最常见的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 +在不同的电邮供应商之间为电子邮件添加端到端加密的标准方法是使用OpenPGP。 There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). -即使你使用OpenPGP,它也不支持 [前向加密](https://en.wikipedia.org/wiki/Forward_secrecy),这意味着如果你或收件人的私钥被盗,所有在之前使用它加密的信息都将被暴露。 这就是为什么我们推荐 [即时通讯工具](../real-time-communication.md) ,比起电子邮件,它尽可能更好地在人与人之间的通信中实现前向保密性。 +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. 这就是为什么我们推荐 [即时通讯工具](../real-time-communication.md) ,比起电子邮件,它尽可能更好地在人与人之间的通信中实现前向保密性。 -There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. ## 什么是网络密钥目录标准? @@ -23,13 +23,13 @@ The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email 除了我们推荐的 [电子邮件客户端(](../email-clients.md) )支持 WKD 外,一些网络邮件提供商也支持 WKD。 *您自己的* 密钥是否发布到 WKD 供他人使用,取决于您的域配置。 如果您使用支持 WKD 的 [电子邮件提供商](../email.md#openpgp-compatible-services) (如 Proton Mail 或 Mailbox.org),他们可以为您在其域上发布 OpenPGP 密钥。 -如果使用自己的自定义域,则需要单独配置 WKD。 如果您能控制自己的域名,那么无论您的电子邮件提供商是谁,您都可以设置 WKD。 One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). 或者,您也可以 [自行将 WKD 托管在自己的网络服务器上](https://wiki.gnupg.org/WKDHosting)。 +如果使用自己的自定义域,则需要单独配置 WKD。 如果您能控制自己的域名,那么无论您的电子邮件提供商是谁,您都可以设置 WKD。 One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). 或者,您也可以 [自行将 WKD 托管在自己的网络服务器上](https://wiki.gnupg.org/WKDHosting)。 -如果您使用不支持 WKD 的提供商提供的共享域名(如 @gmail.com),则无法通过此方法与他人共享 OpenPGP 密钥。 +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. ### 哪些电子邮件客户端支持端到端加密? -允许你使用IMAP和SMTP等标准访问协议的电子邮件提供商可以与我们推荐的任何 [电子邮件客户端一起使用](../email-clients.md)。 Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. +允许你使用IMAP和SMTP等标准访问协议的电子邮件提供商可以与我们推荐的任何 [电子邮件客户端一起使用](../email-clients.md)。 Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. ### 我如何保护我的私钥? @@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib ## 电子邮件元数据概述 -电子邮件元数据存储在电子邮件的 [信息标题](https://en.wikipedia.org/wiki/Email#Message_header) ,包括一些你可能已经看到的可见标题,如: `To`, `From`, `Cc`, `Date`, `Subject`。 许多电子邮件客户和供应商还包括一些隐藏的标题,可以揭示有关你的账户的信息。 +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. 许多电子邮件客户和供应商还包括一些隐藏的标题,可以揭示有关你的账户的信息。 客户端软件可以使用电子邮件元数据来显示信息来自谁,以及什么时间收到的。 服务器可能使用它来确定电子邮件必须发送到哪里,其中还有一些不那么透明的 [其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 。 ### 谁可以查看电子邮件元数据? -电子邮件元数据通过 [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) ,保护其不受外界观察者的影响,但它仍然能够被你的电子邮件客户端软件(或网络邮件)和任何将你的信息转发给任何收件人(包括你的电子邮件供应商)的服务器看到。 有时,电子邮件服务器也会使用第三方服务来防止垃圾邮件,这些服务一般也能接触到你的邮件。 +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. 有时,电子邮件服务器也会使用第三方服务来防止垃圾邮件,这些服务一般也能接触到你的邮件。 ### 为什么元数据不能被端到端加密? -电子邮件元数据对于电子邮件最基本的功能(它从哪里来,又要到哪里去)至关重要。 E2EE最初没有内置于电子邮件协议中,而是需要像OpenPGP这样的附加软件。 Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. +电子邮件元数据对于电子邮件最基本的功能(它从哪里来,又要到哪里去)至关重要。 E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/zh/email-aliasing.md b/i18n/zh/email-aliasing.md index bc73aeb2..220bce59 100644 --- a/i18n/zh/email-aliasing.md +++ b/i18n/zh/email-aliasing.md @@ -10,7 +10,34 @@ cover: email-aliasing.webp - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } -An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## 推荐的供应商
@@ -19,20 +46,7 @@ An **email aliasing service** allows you to easily generate a new email address
-Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. - -Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: - -- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. -- Replies are sent from the alias address, shielding your real email address. - -They also have a number of benefits over "temporary email" services: - -- Aliases are permanent and can be turned on again if you need to receive something like a password reset. -- Emails are sent to your trusted mailbox rather than stored by the alias provider. -- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. - -Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. @@ -42,29 +56,31 @@ Using an aliasing service requires trusting both your email provider and your al ![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } -**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases. +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation} +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } -[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
Downloads -- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app) -- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) -- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on Addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. -You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). Notable free features: @@ -86,7 +102,7 @@ If you cancel your subscription, you will still enjoy the features of your paid [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation} +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
@@ -97,18 +113,18 @@ If you cancel your subscription, you will still enjoy the features of your paid - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) -- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. -You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). -You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq). +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). Notable free features: @@ -121,6 +137,6 @@ When your subscription ends, all aliases you created will still be able to recei ## Criteria -**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you. +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/zh/email-clients.md b/i18n/zh/email-clients.md index 4ea0cbef..b410147c 100644 --- a/i18n/zh/email-clients.md +++ b/i18n/zh/email-clients.md @@ -10,7 +10,7 @@ cover: email-clients.webp - [:material-server-network: 服务提供商](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} - [:material-target-account: 定向攻击](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} -The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
Email does not provide forward secrecy diff --git a/i18n/zh/email.md b/i18n/zh/email.md index d99f9bbc..468b60e6 100644 --- a/i18n/zh/email.md +++ b/i18n/zh/email.md @@ -22,19 +22,19 @@ global: 对于其他一切,我们根据可持续的商业模式和内置的安全和隐私功能,推荐各种电子邮件供应商。 Read our [full list of criteria](#criteria) for more information. -| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments | -| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------- | -| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | -| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | -| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party | +| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods | +| --------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash | +| [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero
Cash via third party | -In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. - [More Information :material-arrow-right-drop-circle:](email-aliasing.md) ## OpenPGP 兼容服务 -These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. 例如,Proton Mail用户可以向Mailbox.org用户发送E2EE信息,或者你可以从支持OpenPGP的互联网服务中收到OpenPGP加密的通知。 +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. 例如,Proton Mail用户可以向Mailbox.org用户发送E2EE信息,或者你可以从支持OpenPGP的互联网服务中收到OpenPGP加密的通知。
@@ -48,7 +48,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key 当使用像OpenPGP这样的E2EE技术时,电子邮件仍然会有一些元数据没有在电子邮件的标题中进行加密。 Read more about [email metadata](basics/email-security.md#email-metadata-overview). -即使你使用OpenPGP,它也不支持 前向加密,这意味着如果你或收件人的私钥被盗,所有在之前使用它加密的信息都将被暴露。 [如何保护我的私钥?](basics/email-security.md#how-do-i-protect-my-private-keys) +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
@@ -58,7 +60,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key ! [Proton Mail徽标] (assets/img/email/protonmail.svg) {align = right} -* * Proton Mail * *是一项专注于隐私、加密、安全性和易用性的电子邮件服务。 They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. +* * Proton Mail * *是一项专注于隐私、加密、安全性和易用性的电子邮件服务。 They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } @@ -81,9 +85,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key -免费账户有一些限制,如不能搜索正文,不能访问 [Proton Mail Bridge](https://proton.me/mail/bridge),这是使用 [推荐的桌面电子邮件客户端](email-clients.md) (如Thunderbird)所需要的。 付费帐户包括Proton Mail Bridge等功能,额外的存储空间和自定义域支持。 2021年11月9日, [Securitum](https://research.securitum.com),为Proton Mail的应用程序提供了一份 [的证明信](https://proton.me/blog/security-audit-all-proton-apps)。 +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). 付费帐户包括Proton Mail Bridge等功能,额外的存储空间和自定义域支持。 If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. -If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free. +2021年11月9日, [Securitum](https://research.securitum.com),为Proton Mail的应用程序提供了一份 [的证明信](https://proton.me/blog/security-audit-all-proton-apps)。 Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. @@ -93,7 +97,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat #### :material-check:{ .pg-green } Private Payment Methods -Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. #### :material-check:{ .pg-green } Account Security @@ -109,7 +113,7 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. 给其他Proton Mail账户的邮件是自动加密的,用OpenPGP密钥给非Proton Mail地址加密可以在账户设置中轻松启用。 Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. -Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. 这使得不使用Proton Mail的人可以轻松找到Proton Mail账户的OpenPGP密钥,实现跨供应商的E2EE。 This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -117,17 +121,17 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d #### :material-information-outline:{ .pg-blue } Additional Functionality -Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. - -Proton Mail不提供数字遗留功能。 +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. ### Mailbox.org
-![Mailbox.org标志](assets/img/email/mailboxorg.svg){ align=right } +![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } -**Mailbox.org**是一个专注于安全、无广告、并由100%环保能源私人提供的电子邮件服务。 他们自2014年以来一直在运作。 Mailbox.org总部位于德国柏林。 Accounts start with up to 2 GB storage, which can be upgraded as needed. +**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. 他们自2014年以来一直在运作。 Mailbox.org总部位于德国柏林。 + +Accounts start with up to 2 GB storage, which can be upgraded as needed. [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } @@ -148,23 +152,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k #### :material-check:{ .pg-green } Private Payment Methods -Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung. +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. #### :material-check:{ .pg-green } Account Security -Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. +Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. #### :material-information-outline:{ .pg-blue } Data Security Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. -However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. #### :material-check:{ .pg-green } Email Encryption Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. -Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately. +Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. #### :material-information-outline:{ .pg-blue } Account Termination @@ -176,7 +180,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. -Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. ## More Providers @@ -195,7 +199,9 @@ These providers store your emails with zero-knowledge encryption, making them gr ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } -**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } @@ -226,7 +232,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u #### :material-information-outline:{ .pg-blue } Private Payment Methods -Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. +Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. #### :material-check:{ .pg-green } Account Security @@ -234,7 +240,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit #### :material-check:{ .pg-green } Data Security -Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. +Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you. #### :material-information-outline:{ .pg-blue } Email Encryption @@ -248,8 +254,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. -Tuta doesn't offer a digital legacy feature. - ## Self-Hosting Email Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: @@ -315,21 +319,22 @@ We regard these features as important in order to provide a safe and optimal ser **符合条件的最低要求。** -- Encrypts email account data at rest with zero-access encryption. -- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. -- Operates on owned infrastructure, i.e. not built upon third-party email service providers. +- Must encrypt email account data at rest with zero-access encryption. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. **Best Case:** -- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption. -- Integrated webmail E2EE/PGP encryption provided as a convenience. -- Support for WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` -- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. -- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). -- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support. -- Allows users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. - Catch-all or alias functionality for those who use their own domains. -- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). ### 隐私 @@ -337,30 +342,30 @@ We prefer our recommended providers to collect as little data as possible. **符合条件的最低要求。** -- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field. -- Don't require personally identifiable information (PII) besides a username and a password. -- Privacy policy that meets the requirements defined by the GDPR. +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. **Best Case:** -- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) -- Hosted in a jurisdiction with strong email privacy protection laws. +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. ### 安全性 -Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers. +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. **符合条件的最低要求。** -- Protection of webmail with 2FA, such as TOTP. -- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). -- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. -- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. - Website security standards such as: @@ -370,10 +375,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w **Best Case:** -- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. -- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). -- Published security audits from a reputable third-party firm. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. - Website security standards such as: - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) @@ -398,18 +403,15 @@ With the email providers we recommend, we like to see responsible marketing. **符合条件的最低要求。** - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). - -Must not have any irresponsible marketing, which can include the following: - -- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. -- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: - - - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) - - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) **Best Case:** -- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. ### Additional Functionality diff --git a/i18n/zh/os/android-overview.md b/i18n/zh/os/android-overview.md index 64d429f5..32315986 100644 --- a/i18n/zh/os/android-overview.md +++ b/i18n/zh/os/android-overview.md @@ -132,7 +132,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr 高级保护计划提供增强的威胁监控,并支持: -- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) - 只有谷歌和经过验证的第三方应用程序可以访问账户数据 - 在 Gmail 帐户上扫描收到的邮件以进行 [钓鱼](https://en.wikipedia.org/wiki/Phishing#Email_phishing) 尝试 - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome @@ -154,7 +154,9 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. 禁用此功能以限制收集到的关于你的数据。 -在带有 [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play)的安卓发行上,进入 :gear: **设置** → **应用程序** → **Sandboxed Google Play** → **谷歌设置** → **广告**,并选择 *删除广告 ID*。 +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. 查看 diff --git a/includes/abbreviations.ar.txt b/includes/abbreviations.ar.txt index 44b8e2b9..ad94bdce 100644 --- a/includes/abbreviations.ar.txt +++ b/includes/abbreviations.ar.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.bn-IN.txt b/includes/abbreviations.bn-IN.txt index d8a21651..de1c9c55 100644 --- a/includes/abbreviations.bn-IN.txt +++ b/includes/abbreviations.bn-IN.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.bn.txt b/includes/abbreviations.bn.txt index b36f302a..4fa72299 100644 --- a/includes/abbreviations.bn.txt +++ b/includes/abbreviations.bn.txt @@ -2,42 +2,42 @@ *[এডিবি]: অ্যান্ড্রয়েড ডিবাগ ব্রিজ *[এওএসপি]: অ্যান্ড্রয়েড মুক্ত উৎস প্রকল্প *[এটিএ]: অ্যাডভান্সড টেকনোলজি অ্যাটাচমেন্ট -*[অ্যাটাক সার্ফেস]: The total number of possible entry points for unauthorized access to a system. +*[অ্যাটাক সার্ফেস]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.cs.txt b/includes/abbreviations.cs.txt index c7beeb41..62181a1b 100644 --- a/includes/abbreviations.cs.txt +++ b/includes/abbreviations.cs.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Příkazová řádka *[CSV]: Hodnoty oddělené čárkou *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Systém doménových jmen *[DoH]: DNS přes HTTPS *[DoQ]: DNS přes QUIC *[DoH3]: DNS přes HTTP/3 *[DoT]: DNS přes TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (implementace PGP) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (implementace PGP) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Nativní rozhraní Java *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: Jednorázové heslo *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Linux s vylepšenou bezpečností *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Označení názvu serveru *[SSD]: Polovodičový disk *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: Systém na čipu -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.de.txt b/includes/abbreviations.de.txt index 83e628ff..94a3c96d 100644 --- a/includes/abbreviations.de.txt +++ b/includes/abbreviations.de.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debugging Brücke *[AOSP]: Android Open-Source Projekt *[ATA]: AT Attachment (Standard für die parallele Verbindung von Laufwerken) -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups. Ein Bestandteil des Linux-Kernels, welcher Resourcennutzung isoliert und begrenzt. *[CLI]: Kommandozeilen-Schnittstelle *[CSV]: Kommagetrennte Werte *[CVE]: Häufige Schwachstellen und Gefährdungen -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domänennamensystem-Sicherheitserweiterungen *[DNS]: Domänennamensystem *[DoH]: DNS über HTTPS *[DoQ]: DNS über QUIC *[DoH3]: DNS über HTTP/3 *[DoT]: DNS über TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Ende-zu-Ende-Verschlüsselung/Verschlüsselt *[ECS]: EDNS Client Subnetz *[EWR]: Europäischer Wirtschaftsraum -*[Entropie]: A measurement of how unpredictable something is. +*[Entropie]: A measurement of how unpredictable something is *[EOL]: Ende des Produktlebens- oder Support-Zyklus. Gemeint ist häufig das Ende der Unterstützung mit Sicherheitsupdates. *[Exif]: Austauschbares Bilddateiformat *[FCM]: Firebase-Cloud-Nachrichtendienst *[FDE]: vollständige Festplattenverschlüsselung *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy (vorwärts gerichtete Geheimhaltung) -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[DSGVO]: Datenschutzverordnung *[GPG]: GNU Privacy Guard (PGP-Implementierung) *[GPS]: Globales Positionsbestimmungssystem *[GUI]: Grafische Benutzeroberfläche *[GnuPG]: GNU Privacy Guard (PGP-Implementierung) *[HDD]: Festplattenlaufwerk -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: sicheres Hypertext-Übertragungsprotokoll *[HTTP]: Hypertext-Übertragungsprotokoll -*[Hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[Hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrierter Schaltkreiskarten-Identifikator *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internetdienstanbieter *[JNI]: Native Java-Schnittstelle *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Anwendungsschutz *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Faktor-Authentifizierung -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Netzwerk-Zeitprotokoll *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Betriebssystem *[OTP]: Einmalpasswort *[OTPs]: Einmalpasswörter @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personenbezogene Daten *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.el.txt b/includes/abbreviations.el.txt index f21d64ed..923291a2 100644 --- a/includes/abbreviations.el.txt +++ b/includes/abbreviations.el.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge (ελληνιστί: Γέφυρα Αποσφαλμάτωσης Android) *[AOSP]: Έργο Ανοιχτού Κώδικα Android *[ATA]: Advanced Technology Attachment -*[επιφάνεια επίθεσης]: The total number of possible entry points for unauthorized access to a system. +*[επιφάνεια επίθεσης]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot (ελληνιστί: Επαληθευμένη Εκκίνηση Android) *[cgroups]: Ομάδες Ελέγχου *[CLI]: Διεπαφή Γραμμής Εντολών (αγγλικά: Command-Line Interface) *[CSV]: Τιμές Διαχωρισμένες με Κόμμα *[CVE]: Κοινές Ευπάθειες και Εκθέσεις -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Σύστημα Ονομάτων Τομέων – Επεκτάσεις Ασφάλειας *[DNS]: Σύστημα Ονομάτων Τομέων *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Κρυπτογράφηση/-μένο από Άκρο-σε-Άκρο *[ECS]: EDNS Client Subnet (Υποδίκτυο Πελάτη EDNS) *[EEA]: ΕΟΧ: Ευρωπαϊκός Οικονομικός Χώρος -*[εντροπία]: A measurement of how unpredictable something is. +*[εντροπία]: A measurement of how unpredictable something is *[EOL]: Τέλος Κύκλου Ζωής (αγγλικά: End-of-Life) *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Κρυπτογράφηση Πλήρους Δίσκου (αγγλικά: Full Disk Encryption) *[FIDO]: Fast IDentity Online *[FS]: Εμπρόσθια Μυστικότητα (αγγλικά: Forward Secrecy) -*[φορκάρισμα]: A new software project created by copying an existing project and adding to it independently. +*[φορκάρισμα]: A new software project created by copying an existing project and adding to it independently *[GDPR]: ΓΚΠΔ: Γενικός Κανονισμός για την Προστασία Δεδομένων *[GPG]: GNU Privacy Guard (υλοποίηση του PGP) *[GPS]: Παγκόσμιο Σύστημα Θεσιθεσίας *[GUI]: Γραφικό Περιβάλλον *[GnuPG]: GNU Privacy Guard (υλοποίηση του PGP) *[HDD]: Σκληρός Δίσκος Μαγνητικής Περιστροφής -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure (ελληνιστί: Ασφαλές Πρωτόκολλο Μεταφοράς Υπερκειμένου) *[HTTP]: Hypertext Transfer Protocol (ελληνιστί: Πρωτόκολλο Μεταφοράς Υπερκειμένου) -*[υπερβλέπων]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[υπερβλέπων]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier (ελληνιστί: Ταυτοποιητικό Κάρτας Ολοκληρωμένου Κυκλώματος) *[IMAP]: Internet Message Access Protocol *[IMEI]: Διεθνής Ταυτότητα Κινητού Εξοπλισμού @@ -49,19 +49,22 @@ *[ISPs]: Πάροχοι Υπηρεσιών Διαδικτύου *[JNI]: Java Native Interface (ελληνιστί: Εγγενής Διεπαφή Java) *[KYC]: Μέτρα Δέουσας Επιμέλειας (νομικός όρος) ή "Συστηθείτε" (μαρκετίστικος όρος) -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Έλεγχος Προσπέλασης Μέσου (αγγλικά: Medium Access Control) *[MDAG]: Microsoft Defender Application Guard *[MEID]: Ταυτοποιητικό Κινητού Εξοπλισμού *[MFA]: Αυθεντικοποίηση Πολλών Παραγόντων -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Πρωτόκολλο Δικτυακού Χρόνου *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol (ελληνιστί: Πρωτόκολλο Διαδικτυακού Πιστοποιητικού Κατάστασης) *[OEM]: Παραγωγός Πρωτότυπου Εξοπλισμού *[OEMs]: Παραγωγοί Πρωτότυπου Εξοπλισμού +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[ΛΣ]: Λειτουργικό Σύστημα *[OTP]: Κωδικός Μιας-Χρήσης *[OTPs]: Κωδικοί Μιας-Χρήσης @@ -69,12 +72,12 @@ *[P2P]: Ομότιμο *[PAM]: Pluggable Authentication Modules (υποσύστημα του Linux) *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Προσωπικές Ταυτοποιήσιμες Πληροφορίες (αγγλικά: Personally Identifiable Information) *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[κυλιόμενη κυκλοφορία]: Updates which are released frequently rather than at set intervals. +*[κυλιόμενη κυκλοφορία]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Μονάδα Ταυτότητας Συνδρομής @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication (ελληνιστί: Ένδειξη Ονόματος Διακομιστή) *[SSD]: Σκληρός Δίσκος Στερεάς Κατάστασης *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Λογισμικό ως Υπηρεσία ("Λογισμικό Νέφους") *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol (ελληνιστί: Πρωτόκολλο Ελέγχου Μεταφοράς) *[TEE]: Trusted Execution Environment (ελληνιστί: Εμπιστευμένο Περιβάλλον Εκτέλεσης) *[TLS]: Transport Layer Security (ελληνιστί: Ασφάλεια Επιπέδου Μεταφοράς) diff --git a/includes/abbreviations.eo.txt b/includes/abbreviations.eo.txt index d8a21651..de1c9c55 100644 --- a/includes/abbreviations.eo.txt +++ b/includes/abbreviations.eo.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.es.txt b/includes/abbreviations.es.txt index 4c858485..c3664ffd 100644 --- a/includes/abbreviations.es.txt +++ b/includes/abbreviations.es.txt @@ -2,42 +2,42 @@ *[ADB]: Puente de Depura de Android *[AOSP]: Android Open Source Project *[ATA]: Adjunto de Tecnología Avanzada -*[superficie de ataque]: The total number of possible entry points for unauthorized access to a system. +*[superficie de ataque]: The total number of possible entry points for unauthorized access to a system *[AVB]: Inicio Verificado de Android *[cgroups]: Grupos de Control *[CLI]: Interfaz de Línea de Comando *[CSV]: Valores Separados por Coma *[CVE]: Vulnerabilidades y Exposiciones Comunes -*[patrón oscuro]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[patrón oscuro]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Extensiones de Seguridad del Sistema de Nombres de Dominio *[DNS]: Sistema de Nombre de Dominio *[DoH]: DNS sobre HTTPS *[DoQ]: DNS sobre QUIC *[DoH3]: DNS sobre HTTP/3 *[DoT]: DNS sobre TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Cifrado/Encriptación de Extremo a Extremo *[ECS]: Subred de Cliente EDNS *[EEA]: Espacio Económico Europeo -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Fin de Vida *[Exif]: Formato de archivo de imagen intercambiable *[FCM]: Firebase Cloud Messaging *[FDE]: Encriptación de Disco Completo *[FIDO]: Fast IDentity Online *[FS]: Secreto Hacia Adelante -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Reglamento General de Protección de Datos *[GPG]: GNU Privacy Guard (implementación de PGP) *[GPS]: Sistema de Posicionamiento Global *[GUI]: Interfaz Gráfica de Usuario *[GnuPG]: GNU Privacy Guard (implementación de PGP) *[HDD]: Unidad de Disco Duro -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Protocolo de Transferencia de Hipertexto Seguro *[HTTP]: Protocolo de Transferencia de Hipertexto -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Identificador de Tarjeta de Circuito Integrado *[IMAP]: Protocolo de Acceso a Mensajes de Internet *[IMEI]: Identidad Internacional de Equipos Móviles @@ -49,19 +49,22 @@ *[ISPs]: Proveedores de Servicio de Internet *[JNI]: Interfaz nativa de Java *[KYC]: Conoce a Tu Cliente -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Control de Acceso a los Medios *[MDAG]: Protección de aplicaciones de Microsoft Defender *[MEID]: Identificador de Equipo Móvil *[MFA]: Autenticación de Múltiples Factores -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protocolo de Tiempo de Red *[OCI]: Iniciativa de Contenedor Abierto *[OCSP]: Protocolo del Estado del Certificado de Línea *[OEM]: Fabricante Original de Equipo *[OEMs]: Fabricantes Originales de Equipos +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Sistema Operativo *[OTP]: Contraseña de Un Solo Uso *[OTPs]: Contraseña de Un Solo Uso @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Módulos de Autenticación Conectables a Linux *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Información Personalmente Identificable *[QNAME]: Nombre Cualificado -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[límites de tarifa]: Los límites de tarifa son restricciones que un servicio impone al número de veces que un usuario puede acceder a sus servicios en un periodo de tiempo determinado. -*[liberación progresiva]: Updates which are released frequently rather than at set intervals. +*[liberación progresiva]: Updates which are released frequently rather than set intervals *[RSS]: Sindicación Realmente Sencilla *[SELinux]: Linux con Seguridad Mejorada *[SIM]: Módulo de Identidad del Suscriptor @@ -83,10 +86,12 @@ *[SNI]: Indicación del Nombre de Servidor *[SSD]: Unidad de Disco Duro de Estado Sólido *[SSH]: Shell Seguro -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software como servicio (software en la nube) *[SoC]: Sistema en chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protocolo de Control de Transmisión *[TEE]: Entorno de Ejecución de Confianza *[TLS]: Seguridad de la Capa de Transporte diff --git a/includes/abbreviations.fa.txt b/includes/abbreviations.fa.txt index 6dd3f9e1..7e1f49f0 100644 --- a/includes/abbreviations.fa.txt +++ b/includes/abbreviations.fa.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: پروژه متن باز اندروید *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: رابط خط فرمان *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS بر روی HTTPS *[DoQ]: DNS بر روی QUIC *[DoH3]: DNS بر روی HTTP/3 *[DoT]: DNS بر روی TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: رمزگذاری پایان به پایان *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: پایان عمر *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: رابط کاربری گرافیکی *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: هارد دیسک -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.fr.txt b/includes/abbreviations.fr.txt index 0c0c4b60..b7992ab4 100644 --- a/includes/abbreviations.fr.txt +++ b/includes/abbreviations.fr.txt @@ -2,42 +2,42 @@ *[ADB]: Pont de débogage Android *[AOSP]: Projet Android Open Source *[ATA]: Attachement de technologie avancée -*[surface d'attaque]: The total number of possible entry points for unauthorized access to a system. +*[surface d'attaque]: The total number of possible entry points for unauthorized access to a system *[AVB]: Démarrage Vérifié d'Android *[cgroups]: Groupes de contrôle *[CLI]: Interface de ligne de commande *[CSV]: Valeurs séparées par des virgules *[CVE]: Vulnérabilités et expositions courantes -*[interface truquée] : A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[interface truquée] : A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Extensions de sécurité du système de nom de domaine *[DNS]: Système de nom de domaine *[DoH]: DNS sur HTTPS *[DoQ]: DNS sur QUIC *[DoH3]: DNS sur HTTP/3 *[DoT]: DNS sur TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Chiffrement/Chiffré(e)s de bout en bout *[ECS]: Sous-réseau du client EDNS *[EEA]: Espace économique européen -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Fin de vie *[Exif]: Format de fichier image échangeable *[FCM]: Messagerie Cloud Firebase *[FDE]: Chiffrement complet du disque *[FIDO]: Identité rapide en ligne *[CP]: Confidentialité persistante -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[RGPD]: Règlement Général sur la Protection des Données *[GPG]: GNU Privacy Guard (implémentation de PGP) *[GPS]: Système de positionnement global *[GUI]: Interface utilisateur graphique *[GnuPG]: GNU Privacy Guard (implémentation de PGP) *[HDD]: Disque dur -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Protocole de transfert hypertexte sécurisé *[HTTP]: Protocole de transfert hypertexte -*[superviseur]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[superviseur]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Identificateur de carte à circuit intégré *[IMAP]: Protocole d'accès aux messages internet *[IMEI]: Identité internationale des équipements mobiles @@ -49,19 +49,22 @@ *[FAIs]: Fournisseurs d'accès internet *[JNI]: Interface native Java *[KYC]: Connaissance du client -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Contrôle d'accès aux médias *[MDAG]: Protection des applications Microsoft Defender *[MEID]: Identificateur d'équipement mobile *[MFA]: Authentification multi-facteurs -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protocole de temps réseau *[OCI]: Open Container Initiative *[OCSP]: Protocole d'état des certificats en ligne *[OEM]: Fabricant d'équipement d'origine *[OEMs]: Fabricants d'équipement d'origine +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Système d'exploitation *[OTP]: Mot de passe à usage unique *[OTPs]: Mots de passe à usage unique @@ -69,12 +72,12 @@ *[P2P]: Pair à pair *[PAM]: Modules d'authentification enfichables de Linux *[POP3]: Protocole de bureau de poste 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[DCP]: Donnée à charactère personnel *[QNAME]: Nom qualifié -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[limites de débit]: Les limites tarifaires sont des restrictions qu'un service impose sur le nombre de fois qu'un utilisateur peut accéder à ses services dans un délai donné. -*[publication continue]: Updates which are released frequently rather than at set intervals. +*[publication continue]: Updates which are released frequently rather than set intervals *[RSS]: Syndication vraiment simple *[SELinux]: Sécurité renforcée de Linux *[SIM]: Module d'identité d'abonné @@ -83,10 +86,12 @@ *[SNI]: Indication du nom du serveur *[SSD]: Disque d'état solide *[SSH]: Shell sécurisé -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Logiciel en tant que service (logiciel cloud) *[SoC]: Système sur puce -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protocole de contrôle de transmission *[TEE]: Environnement d'exécution de confiance *[TLS]: Sécurité de la couche transport diff --git a/includes/abbreviations.he.txt b/includes/abbreviations.he.txt index 6c7b2409..f8a3b7db 100644 --- a/includes/abbreviations.he.txt +++ b/includes/abbreviations.he.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: פרויקט קוד פתוח של אנדרואיד *[ATA]: Advanced Technology Attachment -*[משטח התקפה]: The total number of possible entry points for unauthorized access to a system. +*[משטח התקפה]: The total number of possible entry points for unauthorized access to a system *[AVB]: אתחול מאומת של אנדרואיד *[cgroups]: קבוצות בקרה *[CLI]: ממשק שורת הפקודה *[CSV]: Comma-Separated Values *[CVE]: פגיעויות וחשיפות נפוצות -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: תוספי אבטחה של מערכת שמות דומיין *[DNS]: מערכת שמות מתחם *[DoH]: DNS דרך HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: הצפנה מקצה לקצה/מוצפנת *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: סוף החיים *[Exif]: פורמט קובץ תמונה ניתן להחלפה *[FCM]: Firebase Cloud Messaging *[FDE]: הצפנת דיסק מלאה *[FIDO]: זיהוי מהיר באינטרנט *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: תקנת הגנת מידע כללית *[GPG]: GNU Privacy Guard (יישום PGP) *[GPS]: מערכת מיקום גלובלית *[GUI]: ממשק משתמש גרפי *[GnuPG]: GNU Privacy Guard (יישום PGP) *[HDD]: כונן קשיח -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: זהות ציוד סלולרי בינלאומי @@ -49,19 +49,22 @@ *[ISPs]: ספקי שירותי אינטרנט *[JNI]: ממשק מקורי של Java *[KYC]: הכר את הלקוח שלך -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: מזהה ציוד נייד *[MFA]: אימות מרובה גורמים -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: פרוטוקול זמן רשת *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: מערכת הפעלה *[OTP]: סיסמה חד - פעמית *[OTPs]: סיסמאות חד פעמיות @@ -69,12 +72,12 @@ *[P2P]: עמית-לעמית *[PAM]: מודולי אימות ניתנים לחיבור של לינוקס *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: סינדיקציה ממש פשוטה *[SELinux]: לינוקס משופרת באבטחה *[SIM]: מודול זהות מנוי @@ -83,10 +86,12 @@ *[SNI]: ציון שם השרת *[SSD]: Solid-State Drive *[SSH]: מעטפת מאובטחת -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: מערכת על שבב -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: אבטחת שכבת תעבורה diff --git a/includes/abbreviations.hi.txt b/includes/abbreviations.hi.txt index d8a21651..de1c9c55 100644 --- a/includes/abbreviations.hi.txt +++ b/includes/abbreviations.hi.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.hu.txt b/includes/abbreviations.hu.txt index e70b3338..b1b8c9d8 100644 --- a/includes/abbreviations.hu.txt +++ b/includes/abbreviations.hu.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project - Android Nyílt Forráskódú Projekt *[ATA]: Advanced Technology Attachment -*[támadási felület]: The total number of possible entry points for unauthorized access to a system. +*[támadási felület]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface - Parancssor Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions - Domain Név Rendszer Biztonsági Kiterjesztések *[DNS]: Domain Name System - Domain Név Rendszer *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[End-to-End]: Végponttól végpontig terjedő titkosítás *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area - Európai Gazdasági Övezet -*[entrópia]: A measurement of how unpredictable something is. +*[entrópia]: A measurement of how unpredictable something is *[EOL]: End-of-Life - Valami életciklusának a vége *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption - Teljes Lemez Titkosítás *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy – előre titkosítás -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation - Általános Adatvédelmi Rendelet *[GPG]: GNU Privacy Guard (PGP implementáció) *[GPS]: Global Positioning System - Globális Helymeghatározó Rendszer *[GUI]: Graphical User Interface - Grafikus Felhasználói Felület *[GnuPG]: GNU Privacy Guard (PGP implementáció) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol - Internet Üzenet-Hozzáférési Protokoll *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers - Internet Szolgáltatók *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier - Mobil Berendezés Azonosító *[MFA]: Multi-Factor Authentication - Többlépcsős Hitelesítés -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol - Hálózati Idő Protokoll *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol - Online Tanúsítvány Státusz Protokoll *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System - Operációs Rendszer *[OTP]: One-Time Password - Egyszer Használható Jelszó *[OTPs]: One-Time Passwords - Egyszer Használható Jelszavak @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information - Személyazonosításra Alkalmas Információ *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (felhőszoftver) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.id.txt b/includes/abbreviations.id.txt index 16bff7fd..9d6165b3 100644 --- a/includes/abbreviations.id.txt +++ b/includes/abbreviations.id.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Kelompok Kontrol *[CLI]: Antarmuka Baris Perintah *[CSV]: Nilai yang Dipisahkan dengan Koma *[CVE]: Common Vulnerabilities and Exposures -*[pola gelap]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[pola gelap]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS melalui QUIC *[DoH3]: DNS melalui HTTP/3 *[DoT]: DNS melalui TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Enkripsi Ujung ke Ujung/Terenkripsi *[ECS]: Subnet Klien EDNS *[EEA]: Wilayah Ekonomi Eropa -*[entropi]: A measurement of how unpredictable something is. +*[entropi]: A measurement of how unpredictable something is *[EOL]: Akhir Masa Pakai *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online (Identitas Daring Cepat) *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Peraturan Perlindungan Data Umum (Uni Eropa) *[GPG]: GNU Privacy Guard (implementasi PGP) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (implementasi PGP) *[HDD]: Penyimpanan Hard Disk -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Protokol Transfer Hiperteks -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: Identitas Peralatan Seluler Internasional @@ -49,19 +49,22 @@ *[ISPs]: Penyedia Layanan Internet *[JNI]: Antarmuka Asli Java *[KYC]: Kenali Pelanggan Anda -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Kontrol Akses Media *[MDAG]: Microsoft Defender Application Guard *[MEID]: Pengidentifikasi Peralatan Seluler *[MFA]: Autentikasi Multifaktor -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protokol Waktu Jaringan *[OCI]: Inisiatif Kontainer Terbuka *[OCSP]: Protokol Status Sertifikat Daring *[OEM]: Produsen Peralatan Asli *[OEMs]: Produsen Peralatan Asli +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Sistem Operasi *[OTP]: Kata Sandi Sekali Pakai *[OTPs]: Kata Sandi Sekali Pakai @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Modul Otentikasi Linux yang Dapat Dicolokkan *[POP3]: Protokol Kantor Pos 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Informasi Identifikasi Pribadi *[QNAME]: Nama yang Memenuhi Syarat -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rilis bergulir]: Updates which are released frequently rather than at set intervals. +*[rilis bergulir]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Linux yang Ditingkatkan Keamanannya *[SIM]: Modul Identitas Pelanggan @@ -83,10 +86,12 @@ *[SNI]: Indikasi Nama Server *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Perangkat lunak sebagai layanan (perangkat lunak awan) *[SoC]: Sistem pada Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protokol Kontrol Transmisi *[TEE]: Lingkungan Eksekusi Terpercaya *[TLS]: Keamanan Lapisan Transportasi diff --git a/includes/abbreviations.it.txt b/includes/abbreviations.it.txt index f33fa45a..ad888694 100644 --- a/includes/abbreviations.it.txt +++ b/includes/abbreviations.it.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Allegato tecnologico avanzato -*[superficie di attacco]: The total number of possible entry points for unauthorized access to a system. +*[superficie di attacco]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Gruppo di Controllo *[CLI]: Interfaccia a linea di comando *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Crittografia/Crittografato end-to-end *[ECS]: Sottorete client EDNS *[EEA]: Spazio economico europeo -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Fine del Supporto *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Crittografia Completa del Disco *[FIDO]: Fast Identity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Regolamento generale per la protezione dei dati personali *[GPG]: GNU Privacy Guard (implementazione PGP) *[GPS]: Global Positioning System *[GUI]: Interfaccia grafica utente *[GnuPG]: GNU Privacy Guard (implementazione PGP) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Fornitori di servizi Internet *[JNI]: Java Native Interface *[KYC]: Conosci Il Tuo Cliente -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Autenticazione a più fattori -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Produttore di apparecchiature originali *[OEMs]: Produttori di apparecchiature originali +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Sistema Operativo *[OTP]: Password monouso *[OTPs]: Password monouso @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (software cloud) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.ja.txt b/includes/abbreviations.ja.txt index 110cd52c..6fa09225 100644 --- a/includes/abbreviations.ja.txt +++ b/includes/abbreviations.ja.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android オープンソース プロジェクト(Android Open Source Project) *[ATA]: Advanced Technology Attachment -*[攻撃対象領域]: The total number of possible entry points for unauthorized access to a system. +*[攻撃対象領域]: The total number of possible entry points for unauthorized access to a system *[AVB]: 確認付きブート(Android Verified Boot) *[cgroups]: Control Groups *[CLI]: コマンドライン インターフェース *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: ドメインネームシステム *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: エンドツーエンド暗号化(End-to-End Encryption/Encrypted) *[ECS]: EDNSクライアントサブネット(EDNS Client Subnet) *[EEA]: 欧州経済領域 -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: サポート終了(End-of-Life) *[Exif]: 交換可能な画像ファイル形式(Exchangeable image file format) *[FCM]: Firebaseクラウドメッセージング *[FDE]: フルディスク暗号化(Full Disk Encryption) *[FIDO]: Fast IDentity Online *[FS]: 前方秘匿性(Forward Secrecy) -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: EU一般データ保護規則(General Data Protection Regulation) *[GPG]: GNU Privacy Guard(PGPの実装) *[GPS]: 全地球測位システム(Global Positioning System) *[GUI]: グラフィカルユーザーインターフェース *[GnuPG]: GNU Privacy Guard(PGPの実装) *[HDD]: ハードディスクドライブ -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: ハイパーテキスト転送プロトコル(Hypertext Transfer Protocol) -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol(インターネットメッセージアクセスプロトコル) *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: インターネットサービスプロバイダー(Internet Service Providers) *[JNI]: Javaネイティブインターフェース *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: メディア・アクセス・コントロール *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: 多要素認証(Multi-Factor Authentication) -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: ネットワークタイムプロトコル *[OCI]: Open Container Initiative *[OCSP]: オンライン証明書ステータスプロトコル(Online Certificate Status Protocol) *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: オペレーティングシステム(Operating System) *[OTP]: ワンタイムパスワード *[OTPs]: ワンタイムパスワード @@ -69,12 +72,12 @@ *[P2P]: ピアツーピア *[PAM]: Linuxプラグイン式認証モジュール *[POP3]: Post Office Protocol 3(電子メール受信用プロトコル) -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: 個人を特定できる情報(Personally Identifiable Information) *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[ローリング・リリース]: Updates which are released frequently rather than at set intervals. +*[ローリング・リリース]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: 加入者識別モジュール @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: ソリッドステートドライブ *[SSH]: セキュアシェル(Secure Shell) -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: サービスとしてのソフトウェア(クラウドソフトウェア、Software as a Service) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: トランスミッション・コントロール・プロトコル(Transmission Control Protocol) *[TEE]: 信頼された実行環境(Trusted Execution Environment) *[TLS]: トランスポートレイヤーセキュリティー(Transport Layer Security) diff --git a/includes/abbreviations.ko.txt b/includes/abbreviations.ko.txt index 5cdd8b61..51370d5b 100644 --- a/includes/abbreviations.ko.txt +++ b/includes/abbreviations.ko.txt @@ -2,42 +2,42 @@ *[ADB]: Android 디버그 브리지 *[AOSP]: Android 오픈소스 프로젝트 *[ATA]: 고급 기술 결합(Advanced Technology Attachment) -*[공격 표면]: The total number of possible entry points for unauthorized access to a system. +*[공격 표면]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android 자체 검사 부팅 *[cgroups]: Control Groups *[CLI]: 명령어 인터페이스 *[CSV]: Comma-Separated Values *[CVE]: 공통 보안 취약점 및 노출(Common Vulnerabilities and Exposures) -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: DNS Security Extensions *[DNS]: 도메인 네임 시스템 *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: 종단 간 암호화(End-to-End Encryption/Encrypted) *[ECS]: EDNS 클라이언트 서브넷 *[EEA]: 유럽 경제 지역 -*[엔트로피]: A measurement of how unpredictable something is. +*[엔트로피]: A measurement of how unpredictable something is *[EOL]: 지원 종료 (End-of-Life) *[Exif]: 교환 이미지 파일 형식(Exchangeable image file format) *[FCM]: Firebase 클라우드 메시징 *[FDE]: 전체 디스크 암호화 *[FIDO]: Fast IDentity Online *[FS]: 순방향 비밀성 -*[포크]: A new software project created by copying an existing project and adding to it independently. +*[포크]: A new software project created by copying an existing project and adding to it independently *[GDPR]: 유럽 연합 일반 데이터 보호 규칙(General Data Protection Regulation) *[GPG]: GNU Privacy Guard (PGP 구현체) *[GPS]: Global Positioning System *[GUI]: 그래픽 사용자 인터페이스 *[GnuPG]: GNU Privacy Guard (PGP 구현체) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: 하이퍼텍스트 보안 전송 프로토콜 *[HTTP]: 하이퍼텍스트 전송 프로토콜 -*[하이퍼바이저]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[하이퍼바이저]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: 인터넷 메시지 접속 프로토콜(Internet Message Access Protocol) *[IMEI]: 국제 이동 단말기 식별 번호(International Mobile Equipment Identity) @@ -49,19 +49,22 @@ *[ISPs]: 인터넷 서비스 제공자 (Internet service providers) *[JNI]: Java Native Interface *[KYC]: 고객 확인 제도 -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: 이동 장비 식별 번호(Mobile Equipment Identifier) *[MFA]: 다중 인증 -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: 네트워크 타임 프로토콜(Network Time Protocol) *[OCI]: Open Container Initiative *[OCSP]: 온라인 인증서 상태 프로토콜(Online Certificate Status Protocol) *[OEM]: 주문자 상표 부착 생산 *[OEMs]: 주문자 상표 부착 생산 +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: 운영 체제 *[OTP]: 일회용 비밀번호 *[OTPs]: 일회용 비밀번호 @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: 장착형 인증 모듈 *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: 개인 식별 정보(Personally Identifiable Information) *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[롤링 릴리스]: Updates which are released frequently rather than at set intervals. +*[롤링 릴리스]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: 보안 강화 리눅스(Security-Enhanced Linux) *[SIM]: 가입자 식별 모듈(Subscriber Identity Module) @@ -83,10 +86,12 @@ *[SNI]: 서버 이름 표시(Server Name Indication) *[SSD]: Solid-State Drive *[SSH]: 보안 셸(Secure Shell) -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: 서비스형 소프트웨어 (클라우드 기반 소프트웨어) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: 전송 제어 프로토콜 *[TEE]: 신뢰 실행 환경(Trusted Execution Environment) *[TLS]: 전송 계층 보안 diff --git a/includes/abbreviations.ku-IQ.txt b/includes/abbreviations.ku-IQ.txt index d8a21651..de1c9c55 100644 --- a/includes/abbreviations.ku-IQ.txt +++ b/includes/abbreviations.ku-IQ.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.nl.txt b/includes/abbreviations.nl.txt index fd3bb3d7..04d34662 100644 --- a/includes/abbreviations.nl.txt +++ b/includes/abbreviations.nl.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android opensource project *[ATA]: Advanced Technology Attachment -*[aanvalsoppervlakte]: The total number of possible entry points for unauthorized access to a system. +*[aanvalsoppervlakte]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer (ken uw klant) -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multifactor-authenticatie -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.pl.txt b/includes/abbreviations.pl.txt index 50e61773..0c96479e 100644 --- a/includes/abbreviations.pl.txt +++ b/includes/abbreviations.pl.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[Możliwości ataku]: The total number of possible entry points for unauthorized access to a system. +*[Możliwości ataku]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Grupa kontrolna *[CLI]: Interfejs wiersza poleceń *[CSV]: Wartości rozdzielone przecinkiem *[CVE]: Typowe podatności i zagrożenia -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Rozszerzenie zabezpieczeń dla systemu DNS *[DNS]: System nazw domen *[DoH]: DNS przez HTTPS *[DoQ]: DNS przez QUIC *[DoH3]: DNS przez HTTP/3 *[DoT]: DNS przez TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Kompleksowe szyfrowanie/szyfrowanie *[ECS]: Podsieć klienta EDNS *[EEA]: Europejski Obszar Gospodarczy -*[entropia]: A measurement of how unpredictable something is. +*[entropia]: A measurement of how unpredictable something is *[EOL]: Koniec życia *[Exif]: Wymienny format pliku obrazu *[FCM]: Wiadomości w chmurze Firebase *[FDE]: Pełne szyfrowanie dysku *[FIDO]: Szybka tożsamość online *[FS]: Utajnianie z wyprzedzeniem -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[RODO]: Ogólne rozporządzenie o ochronie danych *[GPG]: Oprogramowanie kryptograficzne PGP *[GPS]: Globalny system pozycjonowania *[GUI]: Graficzny Interfejs Użytkownika *[GnuPG]: Oprogramowanie kryptograficzne PGP *[HDD]: Dysk twardy -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Bezpieczny protokół przesyłania *[HTTP]: Podstawowy protokół przesyłania -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Identyfikator karty układu scalonego *[IMAP]: Protokół dostępu do wiadomości internetowych *[IMEI]: Indywidualny numer identyfikacyjny telefonu komórkowego @@ -49,19 +49,22 @@ *[ISPs]: Dostawcy usług internetowych *[JNI]: Natywny interfejs Java *[KYC]: Poznaj swojego klienta -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Kontrola dostępu *[MDAG]: Microsoft Defender Application Guard *[MEID]: Identyfikator sprzętu mobilnego *[MFA]: Uwierzytelnianie wieloskładnikowe -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protokół czasu sieciowego *[OCI]: Open Container Initiative *[OCSP]: Stan certyfikatu online *[OEM]: Producent oryginalnego sprzętu *[OEMs]: Producenci oryginalnego sprzętu +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: System operacyjny *[OTP]: Jednorazowe hasło *[OTPs]: Jednorazowe hasła @@ -69,12 +72,12 @@ [P2P]: Peer-to-Peer *[PAM]: Moduły uwierzytelniania w systemie Linux *[POP3]: Protokół pocztowy 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Informacje umożliwiające identyfikację osoby *[QNAME]: Nazwa kwalifikowana -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Linux o zwiększonym bezpieczeństwie *[SIM]: Moduł identyfikacji abonenta @@ -83,10 +86,12 @@ *[SNI]: Wskazanie nazwy serwera *[SSD]: Dysk SSD *[SSH]: Bezpieczna powłoka -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Oprogramowanie jako usługa (oprogramowanie w chmurze) *[SoC]: System na chipie -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protokół sterowania transmisją *[TEE]: Środowisko zaufanego wykonania *[TLS]: Bezpieczeństwo warstwy transportowej diff --git a/includes/abbreviations.pt-BR.txt b/includes/abbreviations.pt-BR.txt index 5389c3c2..70cd9baf 100644 --- a/includes/abbreviations.pt-BR.txt +++ b/includes/abbreviations.pt-BR.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Projeto Open Source Android *[ATA]: Acessório de tecnologia avançada -*[superfície de ataque]: The total number of possible entry points for unauthorized access to a system. +*[superfície de ataque]: The total number of possible entry points for unauthorized access to a system *[AVB]: Inicialização Verificada do Android *[cgroups]: Grupos de Controle *[CLI]: Interface de Linha de Comando *[CSV]: Valores Separados por Vírgulas *[CVE]: Vulnerabilidades e Exposições Comuns -: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Extensões de Segurança do Sistema de Nomes de Domínio *[DNS]: Sistema de Nomes de Domínio *[DoH]: DNS sobre HTTPS *[DoQ]: DNS sobre QUIC *[DoH3]: DNS sobre HTTP/3 *[DoT]: DNS sobre TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Criptografia/Criptografia ponto-a-ponto *[ECS]: Sub-rede de clientes EDNS *[EEA]: Espaço Econômico Europeu -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Fim da vida útil *[Exif]: Formato de arquivo de imagem intercambiável *[FCM]: Firebase Cloud Messaging *[FDE]: Criptografia total de disco *[FIDO]: Fast IDentity Online *[FS]: Sigilo de encaminhamento -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Regulamento Geral de Proteção de Dados *[GPG]: GNU Privacy Guard (implementação do PGP) *[GPS]: Sistema de Posicionamento Global *[GUI]: Interface Gráfica do Usuário *[GnuPG]: GNU Privacy Guard (implementação do PGP) *[HDD]: Disco Rígido -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Protocolo de Acesso a Mensagens da Internet *[IMEI]: Identificação Internacional de Equipamento Móvel @@ -49,19 +49,22 @@ *[ISPs]: Provedores de Internet *[JNI]: Java Native Interface *[KYC]: Conheça seu cliente -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Controle de Acesso ao Meio *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Autenticação de Múltiplos Fatores -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protocolo de Tempo Rede *[OCI]: Iniciativa Open Container *[OCSP]: Protocolo de Status de Certificado Online *[OEM]: Fabricante do Equipamento Original *[OEMs]: Fabricantes de Equipamentos Originais +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Sistema Operacional *[OTP]: Senha de uso único *[OTPs]: Senhas de uso único @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Informações Pessoalmente Identificáveis *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[limites de taxa]: Limites de taxa são restrições que um serviço impõe ao número de vezes que um usuário pode acessar seus serviços em um período de tempo específico. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Sindicação bem simples *[SELinux]: Segurança aprimorada do Linux *[SIM]: Módulo de Identidade do Assinante @@ -83,10 +86,12 @@ *[SNI]: Indicação do Nome do Servidor *[SSD]: Disco de Estado Sólido *[SSH]: Shell Seguro -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software como um Serviço (software em nuvem) *[SoC]: Sistema em um Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protocolo de Controle de Transmissão *[TEE]: Ambiente de Execução Confiável *[TLS]: Segurança da Camada de Transporte diff --git a/includes/abbreviations.pt.txt b/includes/abbreviations.pt.txt index 316632be..8a244cf9 100644 --- a/includes/abbreviations.pt.txt +++ b/includes/abbreviations.pt.txt @@ -2,42 +2,42 @@ *[ADB]: Bridge de depuração Android *[AOSP]: Projeto de código aberto Android *[ATA]: Anexo de tecnologia avançada -*[superfície de ataque]: The total number of possible entry points for unauthorized access to a system. +*[superfície de ataque]: The total number of possible entry points for unauthorized access to a system *[AVB]: Boot verificado de Android *[cgroups]: Grupo de controle *[CLI]: Interface de Linha de Comando *[CSV]: Valores separados por vírgulas *[CVE]: Vulnerabilidades e exposições comuns -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Extensões de segurança do sistema de nomes de domínio *[DNS]: Sistema de nomes de domínio *[DoH]: DNS sobre HTTPS *[DoQ]: DNS sobre QUIC *[DoH3]: DNS sobre HTTP/3 *[DoT]: DNS sobre TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Encriptação ponta-a-ponta/Encriptado *[ECS]: Sub-rede do cliente EDNS *[EEA]: Espaço Económico Europeu -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Expiração *[Exif]: Formato de ficheiro de imagem intercambiável *[FCM]: Mensagens em nuvem do Firebase *[FDE]: Encriptação completa do disco *[FIDO]: Identidade rápida online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Regulamento Geral de Proteção de Dados (RGPD) *[GPG]: GNU Privacy Guard (implementação do PGP) *[GPS]: Sistema de Posicionamento Global *[GUI]: Interface gráfica do utilizador *[GnuPG]: GNU Privacy Guard (implementação do PGP) *[HDD]: Disco rígido -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Protocolo de transferência de hipertexto seguro *[HTTP]: Protocolo de transferência de hipertexto -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Identificador de cartão de circuito integrado *[IMAP]: Protocolo de acesso a mensagens da Internet *[IMEI]: Identidade Internacional de Equipamento Móvel @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers – Fornecedores de Internet *[JNI]: Interface nativa Java *[KYC]: Conheça o seu cliente -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Controle de Acesso Mídia *[MDAG]: Proteção de aplicações do Microsoft Defender *[MEID]: Identificador de equipamento móvel *[MFA]: Autenticação multi-fator -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Protocolo de Tempo de Rede *[OCI]: Iniciativa "Recipientes Abertos" *[OCSP]: Protocolo de Status de Certificados Online *[OEM]: Fabricante de equipamento original *[OEMs]: Fabricantes de equipamento original +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Sistema operativo *[OTP]: Palavra-passe de utilização única *[OTPs]: Palavra-passe de utilização única @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Módulos de autenticação plugáveis Linux *[POP3]: Protocolo de Correio 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Informações pessoais identificáveis *[QNAME]: Nome qualificado -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Linux com segurança reforçada *[SIM]: Módulo de identidade do assinante @@ -83,10 +86,12 @@ *[SNI]: Indicação do nome do servidor *[SSD]: Unidade de disco de estado sólido *[SSH]: Shell seguro -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software como serviço (software em nuvem) *[SoC]: Sistema em chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protocolo de Controlo de Transmissão *[TEE]: Ambiente de execução fiável *[TLS]: Segurança da camada de transporte diff --git a/includes/abbreviations.ru.txt b/includes/abbreviations.ru.txt index ee1e4d2f..e006b867 100644 --- a/includes/abbreviations.ru.txt +++ b/includes/abbreviations.ru.txt @@ -2,42 +2,42 @@ *[ADB]: (англ. Android Debug Bridge) - Отладочный мост Android *[AOSP]: (англ. Android Open Source Project) - Проект с открытым исходным кодом Android *[ATA]: (англ. Advanced Technology Attachment) - Интерфейс подключения накопителей к компьютеру -*[поверхность атаки]: The total number of possible entry points for unauthorized access to a system. +*[поверхность атаки]: The total number of possible entry points for unauthorized access to a system *[AVB]: (англ. Android Verified Boot) - Проверенная загрузка Android *[cgroups]: (англ. Control Groups) - Контрольные группы *[CLI]: (англ. Command-line interface) - Интерфейс командной строки *[CSV]: Comma-Separated Values, формат таблиц *[CVE]: Common Vulnerabilities and Exposures -*[тёмный паттерн]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[тёмный паттерн]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: (англ. Domain Name System Security Extensions) - Модули безопасности службы доменных имен *[DNS]: (англ. Domain Name System) - Система доменных имен *[DoH]: DNS через HTTPS *[DoQ]: DNS через QUIC *[DoH3]: DNS через HTTP/3 *[DoT]: DNS через TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: (англ. End-to-End Encryption) - Сквозное шифрование *[ECS]: Подсеть клиента EDNS *[ЕЭЗ]: Европейская экономическая зона -*[энтропия]: A measurement of how unpredictable something is. +*[энтропия]: A measurement of how unpredictable something is *[EOL]: (англ. End-of-Life) - Конец поддержки *[Exif]: (англ. Exchangeable image file format) - Метаданные в фотографиях или видео *[FCM]: (англ. Firebase Cloud Messaging) - Сервис для отправки push-уведомлений и сообщений *[FDE]: (англ. Full Disk Encryption) - Полное шифрование диска *[FIDO]: (англ. Fast IDentity Online) - Стандарт для быстрой и безопасной аутентификации онлайн *[ПС]: Прямая секретность (Forward Secrecy) -*[форк]: A new software project created by copying an existing project and adding to it independently. +*[форк]: A new software project created by copying an existing project and adding to it independently *[GDPR]: (англ. General Data Protection Regulation) - Это регламент ЕС, направленный на защиту персональных данных *[GPG]: GNU Privacy Guard (реализация PGP) *[GPS]: Глобальная система позиционирования *[GUI]: Графический пользовательский интерфейс *[GnuPG]: GNU Privacy Guard (реализация PGP) *[HDD]: Жесткий диск -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Безопасный протокол передачи гипертекста *[HTTP]: Протокол передачи гипертекста -*[гипервизор]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[гипервизор]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Протокол доступа к сообщениям в интернете *[IMEI]: Международная идентификация мобильного оборудования @@ -49,19 +49,22 @@ *[ISPs]: Интернет-провайдеры *[JNI]: Нативный интерфейс Java *[KYC]: Знай своего клиента (Know Your Customer) -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Управление доступом к среде *[MDAG]: Защита приложений при помощи Microsoft Defender *[MEID]: Идентификатор мобильного оборудования *[MFA]: Многофакторная аутентификация -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Сетевой протокол времени *[OCI]: Инициатива, которая создаёт открытые стандарты для контейнеров *[OCSP]: Протокол состояния сетевого сертификата *[OEM]: Оригинальный производитель оборудования *[OEMs]: Оригинальные производители оборудования +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[ОС]: Операционная система *[OTP]: Одноразовый пароль (One-Time Password) *[OTPs]: Одноразовые пароли (One-Time Passwords) @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Подключаемые модули аутентификации Linux *[POP3]: Протокол почтового отделения версии 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[ПД]: Персональные данные *[QNAME]: Квалифицированное имя элемента, атрибута или идентификатора в документе XML -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Ограничения на количество запросов или действий, которые можно выполнить в определенный период времени. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Способ распространения лент новостей или изменений в блогах *[SELinux]: Linux с повышенной безопасностью *[SIM]: Модуль идентификации абонента @@ -83,10 +86,12 @@ *[SNI]: Индикация имени сервера *[SSD]: Твердотельный накопитель *[SSH]: Безопасная оболочка -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Программное обеспечение как услуга (облачное программное обеспечение) *[SoC]: Система на кристалле (System on Chip) -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Протокол управления передачей данных *[TEE]: Доверенная среда исполнения *[TLS]: Протокол защиты транспортного уровня diff --git a/includes/abbreviations.sv.txt b/includes/abbreviations.sv.txt index 9591f871..2cb3b9ba 100644 --- a/includes/abbreviations.sv.txt +++ b/includes/abbreviations.sv.txt @@ -2,42 +2,42 @@ *[ADB]: Felsökning av Android *[AOSP]: Android Open Source-projekt *[ATA]: Avancerad teknikbilaga -*[attackyta]: The total number of possible entry points for unauthorized access to a system. +*[attackyta]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android verifierad uppstart *[cgroups]: Kontrollgrupper *[CLI]: Kommandoradsgränssnitt *[CSV]: Kommaseparerade värden *[CVE]: Vanliga sårbarheter och exponeringar -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Säkerhetstillägg för domännamnssystem *[DNS]: Domännamnssystem *[DoH]: DNS över HTTPS *[DoQ]: DNS över QUIC *[DoH3]: DNS över HTTPS *[DoT]: DNS över TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End-kryptering/krypterad *[ECS]: EDNS Client Subnet *[EEA]: Europeiska ekonomiska samarbetsområdet -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: Slutet av livslängden *[Exif]: Utbytbart bildfilformat *[FCM]: Firebase Cloud Messaging *[FDE]: Fullständig diskkryptering *[FIDO]: Snabb IDentitet online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Allmän dataskyddsförordning *[GPG]: GNU Privacy Guard (PGP-implementering) *[GPS]: Globalt positioneringssystem *[GUI]: Grafiskt användargränssnitt *[GnuPG]: GNU Privacy Guard (PGP-implementering) *[HDD]: Hårddisk -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Säkert *[HTTP]: Hypertextöverföringsprotokoll -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Identifierare för integrerat kretskort *[IMAP]: Protokoll för åtkomst till Internetmeddelanden *[IMEI]: Internationell identitet för mobil utrustning @@ -49,19 +49,22 @@ *[ISPs]: Internetleverantör *[JNI]: Java inbyggt gränssnitt *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Medieåtkomstkontroll *[MDAG]: Microsoft Defender Application Guard *[MEID]: Identifiering av mobil utrustning *[MFA]: Multi-Faktor Autentisering -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Nätverkstidsprotokoll *[OCI]: Initiativ för öppna behållare *[OCSP]: Certifikatstatus online *[OEM]: Originalutrustningstillverkare *[OEMs]: Originalutrustningstillverkare +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operativsystem *[OTP]: Engångslösenord *[OTPs]: Engångslösenord @@ -69,12 +72,12 @@ *[P2P]: Peer-To-Peer *[PAM]: Linux Pluggable autentiseringsmoduler *[POP3]: Postkontorets protokoll 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personligt identifierbar information *[QNAME]: Kvalificerat namn -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rullande utgåva]: Updates which are released frequently rather than at set intervals. +*[rullande utgåva]: Updates which are released frequently rather than set intervals *[RSS]: Riktigt enkel syndikering *[SELinux]: Linux med förbättrad säkerhet *[SIM]: Modul för abonnentidentitet @@ -83,10 +86,12 @@ *[SNI]: Serverns namnindikering *[SSD]: Ssd-disk *[SSH]: Säkert skal -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Programvara som tjänst (molnprogramvara) *[SoC]: System på chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Protokoll för överföringskontroll *[TEE]: Miljö för tillförlitlig utförande *[TLS]: Säkerhet för transportlager diff --git a/includes/abbreviations.tr.txt b/includes/abbreviations.tr.txt index 3a217efe..4cd621b3 100644 --- a/includes/abbreviations.tr.txt +++ b/includes/abbreviations.tr.txt @@ -2,42 +2,42 @@ *[ADB]: Android Hata Ayıklama Köprüsü *[AOSP]: Android Açık Kaynak Projesi *[ATA]: İleri Teknoloji Eklentisi -*[saldırı yüzeyi]: The total number of possible entry points for unauthorized access to a system. +*[saldırı yüzeyi]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Onaylanmış Önyükleme *[cgroups]: Kontrol Grupları *[CLI]: Komut Satırı Arayüzü *[CSV]: CSV Dosyası *[CVE]: Yaygın Zafiyetler ve Açıklar -*[karanlık desen]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[karanlık desen]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Alan Adı Sistemi Güvenlik Eklentileri *[DNS]: Alan Adı Sistemi *[DoH]: HTTPS üzerinden DNS *[DoQ]: QUIC üzerinden DNS *[DoH3]: HTTP/3 üzerinden DNS *[DoT]: TLS üzerinden DNS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Uçtan Uca Şifreleme/Şifreli *[ECS]: EDNS İstemci Alt Ağı *[AEA]: Avrupa Ekonomik Alanı -*[entropi]: A measurement of how unpredictable something is. +*[entropi]: A measurement of how unpredictable something is *[EOL]: Kullanım Ömrü Sonu *[Exif]: Değişebilir görüntü dosyası biçimi *[FCM]: Firebase Cloud Messaging *[FDE]: Tam Disk Şifreleme *[FIDO]: Fast IDentity Online *[FS]: İleriye dönük gizlilik -*[çatal]: A new software project created by copying an existing project and adding to it independently. +*[çatal]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Genel Veri Koruma Tüzüğü *[GPG]: GNU Privacy Guard (PGP uygulaması) *[GPS]: Küresel Konum Belirleme Sistemi *[GUI]: Grafik Kullanıcı Arayüzü *[GnuPG]: GNU Privacy Guard (PGP uygulaması) *[HDD]: Sabit Disk Sürücüsü -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Güvenli Hiper Metin Transfer Protokolü *[HTTP]: Hiper Metin Transfer Protokolü -*[hipervizör]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hipervizör]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Entegre Devre Kartı Tanımlayıcısı *[IMAP]: İnternet Mesaj Erişim Protokolü *[IMEI]: Uluslararası Mobil Cihaz Kodu @@ -49,19 +49,22 @@ *[İSS'ler]: İnternet Servis Sağlayıcıları *[JNI]: Java Yerel Arayüzü *[KYC]: Müşterini Tanı -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Ortam Erişim Yönetimi *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobil Ekipman Tanımlayıcı *[MFA]: Çok Faktörlü Kimlik Doğrulama -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Ağ Zaman Protokolü *[OCI]: Açık Konteyner Girişimi *[OCSP]: Çevrimiçi Sertifika Durum Protokolü *[OEM]: Orijinal Ürün Üreticisi *[OEM'ler]: Orijinal Ürün Üreticiler +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[İS]: İşletim Sistemi *[OTP]: Tek Seferlik Parola *[OTP'ler]: Tek Seferlik Parolalar @@ -69,12 +72,12 @@ *[P2P]: Eşler Arası *[PAM]: Linux Takılabilir Kimlik Doğrulama Modülleri *[POP3]: Postane Protokolü 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Kişiyi Tanımlamak İçin Kullanılan Bilgiler *[QNAME]: Nitelikli Ad -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[oran sınırları]: Ücret sınırları, bir hizmetin, bir kullanıcının belirli bir süre içinde hizmetlerine kaç kez erişebileceği konusunda getirdiği kısıtlamalardır. -*[yuvarlanan sürüm]: Updates which are released frequently rather than at set intervals. +*[yuvarlanan sürüm]: Updates which are released frequently rather than set intervals *[RSS]: Gerçekten Basit Dağıtım *[SELinux]: Güvenliği Geliştirilmiş Linux *[SIM]: Abone Kimlik Modülü @@ -83,10 +86,12 @@ *[SNI]: Sunucu Adı Göstergesi *[SSD]: Katı Hâl Sürücüsü *[SSH]: Güvenli Kabuk -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Hizmet Olarak Yazılım (bulut yazılım) *[SoC]: Yongada Sistem -*[TOA]: Single Sign-On +*[TOA]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: İletim Kontrol Protokolü *[TEE]: Güvenilir Yürütme Ortamı *[TLS]: Taşıma Katmanı Güvenliği diff --git a/includes/abbreviations.uk.txt b/includes/abbreviations.uk.txt index c4422818..1c799a08 100644 --- a/includes/abbreviations.uk.txt +++ b/includes/abbreviations.uk.txt @@ -2,42 +2,42 @@ *[ADB]: Налагоджувальний міст для Android (Android Debugging Bridge) *[AOSP]: Проект з відкритим вихідним кодом Android (Android Open Source Project) *[ATA]: Передове технологічне обладнання (Advanced Technology Attachment) -*[поверхня атаки]: The total number of possible entry points for unauthorized access to a system. +*[поверхня атаки]: The total number of possible entry points for unauthorized access to a system *[AVB]: Перевірене завантаження Android (Android Verified Boot) *[cgroups]: Контрольні групи Linux (Control Groups) *[CLI]: Інтерфейс командного рядка (Command Line Interface) *[CSV]: Значення, розділені комами (Comma-Separated Values) *[CVE]: Поширені вразливості та ризики (Common Vulnerabilities and Exposures) -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Розширення безпеки системи доменних імен (Domain Name System Security Extensions) *[DNS]: Система доменних імен (Domain Name System) *[DoH]: DNS через HTTPS (DNS over HTTPS) *[DoQ]: DNS через QUIC (DNS over QUIC) *[DoH3]: DNS через HTTP/3 (DNS over HTTP/3) *[DoT]: DNS через TLS (DNS over TLS) -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: Наскрізне шифрування/зашифроване (End-to-End Encryption/Encrypted) *[ECS]: Клієнтська підмережа EDNS (EDNS Client Subnet) *[EEA]: Європейська економічна зона (European Economic Area) -*[ентропія]: A measurement of how unpredictable something is. +*[ентропія]: A measurement of how unpredictable something is *[EOL]: Кінець життя/терміну служби (End-of-Life) *[Exif]: Обмінний формат файлів зображень (Exchangeable image file format) *[FCM]: Хмарний обмін повідомленнями Firebase (Firebase Cloud Messaging) *[FDE]: Повне шифрування диска (Full Disk Encryption) *[FIDO]: Швидка ідентифікація особи онлайн (Fast IDentity Online) *[FS]: Forward Secrecy -*[форк]: A new software project created by copying an existing project and adding to it independently. +*[форк]: A new software project created by copying an existing project and adding to it independently *[GDPR]: Загальний регламент про захист даних ЄС (General Data Protection Regulation) *[GPG]: GNU Privacy Guard (реалізація PGP) *[GPS]: Система глобального позиціювання (Global Positioning System) *[GUI]: Графічний інтерфейс користувача (Graphical User Interface) *[GnuPG]: GNU Privacy Guard (реалізація PGP) *[HDD]: Жорсткий диск (Hard Disk Drive) -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Безпечний протокол передачі гіпертексту (Hypertext Transfer Protocol Secure) *[HTTP]: Протокол передачі гіпертексту (Hypertext Transfer Protocol) -*[гіпервізор]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[гіпервізор]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Ідентифікатор плати інтегральної мікросхеми (Integrated Circuit Card Identifier) *[IMAP]: Протокол доступу до Інтернет-повідомлень (Internet Message Access Protocol) *[IMEI]: Міжнародний ідентифікатор мобільного обладнання (International Mobile Equipment Identity) @@ -49,19 +49,22 @@ *[ISPs]: Інтернет-провайдери (Internet Service Providers) *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.vi.txt b/includes/abbreviations.vi.txt index d8a21651..de1c9c55 100644 --- a/includes/abbreviations.vi.txt +++ b/includes/abbreviations.vi.txt @@ -2,42 +2,42 @@ *[ADB]: Android Debug Bridge *[AOSP]: Android Open Source Project *[ATA]: Advanced Technology Attachment -*[attack surface]: The total number of possible entry points for unauthorized access to a system. +*[attack surface]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android Verified Boot *[cgroups]: Control Groups *[CLI]: Command Line Interface *[CSV]: Comma-Separated Values *[CVE]: Common Vulnerabilities and Exposures -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: Domain Name System Security Extensions *[DNS]: Domain Name System *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: End-of-Life *[Exif]: Exchangeable image file format *[FCM]: Firebase Cloud Messaging *[FDE]: Full Disk Encryption *[FIDO]: Fast IDentity Online *[FS]: Forward Secrecy -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: General Data Protection Regulation *[GPG]: GNU Privacy Guard (PGP implementation) *[GPS]: Global Positioning System *[GUI]: Graphical User Interface *[GnuPG]: GNU Privacy Guard (PGP implementation) *[HDD]: Hard Disk Drive -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: Hypertext Transfer Protocol Secure *[HTTP]: Hypertext Transfer Protocol -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: Integrated Circuit Card Identifier *[IMAP]: Internet Message Access Protocol *[IMEI]: International Mobile Equipment Identity @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: Multi-Factor Authentication -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: Original Equipment Manufacturer *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: Operating System *[OTP]: One-Time Password *[OTPs]: One-Time Passwords @@ -69,12 +72,12 @@ *[P2P]: Peer-to-Peer *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security diff --git a/includes/abbreviations.zh-Hant.txt b/includes/abbreviations.zh-Hant.txt index 66e5e5c8..042beb4b 100644 --- a/includes/abbreviations.zh-Hant.txt +++ b/includes/abbreviations.zh-Hant.txt @@ -2,42 +2,42 @@ *[ADB]: Android 偵錯橋接器 *[AOSP]: Android 開放原始碼計畫 *[ATA]: 高技術配置 -*[攻擊面]: The total number of possible entry points for unauthorized access to a system. +*[攻擊面]: The total number of possible entry points for unauthorized access to a system *[AVB]: Android 驗證啟動 *[cgroups]: 對照組 *[CLI]: 命令列介面 *[CSV]: 字元分隔值 *[CVE]: 公共漏洞和暴露 -*[詐欺性設計模式]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[詐欺性設計模式]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: 網域名稱系統安全擴充套件 *[DNS]: 域名系統 *[DoH]: 基於 HTTPS 的 DNS 服務 (DNS over HTTPS) *[DoQ]: 基於 QUIC 的 DNS 服務 (DNS over QUIC) *[DoH3]: 基於 HTTP/3 的 DNS 服務 (DNS over HTTP/3) *[DoT]: 基於 TLS 的 DNS 服務 (DNS over TLS) -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: 端對端加密 *[ECS]: EDNS 客戶端子網 *[EEA]: 歐洲經濟區 -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: 產品壽命結束 *[Exif]: 可交換影像檔案格式 *[FCM]: Firebase 雲端訊息傳遞 *[FDE]: 完整磁碟加密 *[FIDO]: 快速線上身份驗證 *[FS]: 前向保密 -*[分支]: A new software project created by copying an existing project and adding to it independently. +*[分支]: A new software project created by copying an existing project and adding to it independently *[GDPR]: 一般資料保護規定 (歐盟) *[GPG]: GNU Privacy Guard (基於 PGP 協定) *[GPS]: 全球定位系統 *[GUI]: 圖形使用者介面 *[GnuPG]: GNU Privacy Guard (基於 PGP 協定) *[HDD]: 傳統硬碟 (又稱機械硬碟) -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: 安全超文本傳輸協議 *[HTTP]: 超文本傳輸協議 -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: 集成式迴路卡識別碼 *[IMAP]: 網際網路訊息存取協定 *[IMEI]: 國際行動裝置識別碼 @@ -49,19 +49,22 @@ *[ISPs]: 網際網路服務提供商 *[JNI]: Java 原生介面 *[KYC]: 客戶身分審查 -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: 媒體存取控制 *[MDAG]: Microsoft Defender 應用程式防護 *[MEID]: 行動裝置識別碼 *[MFA]: 多重要素驗證 -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: 網路時間協定 *[OCI]: 開放容器標準 *[OCSP]: 線上憑證狀態協定 *[OEM]: 原始設備製造商 *[OEMs]: 原始設備製造商 +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: 操作系統 *[OTP]: 一次性密碼 *[OTPs]: 一次性密碼 @@ -69,12 +72,12 @@ *[P2P]: 點對點網路 (又稱對等式網路) *[PAM]: Linux 插入式驗證模組 *[POP3]: 郵局協定第 3 版 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: 個人可識別資訊 *[QNAME]: 限定名稱 -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[滾動式更新]: Updates which are released frequently rather than at set intervals. +*[滾動式更新]: Updates which are released frequently rather than set intervals *[RSS]: 簡易資訊聚合格式 *[SELinux]: 安全增強型 Linux *[SIM]: 使用者身分模組 @@ -83,10 +86,12 @@ *[SNI]: 伺服器名稱指示 *[SSD]: 固態硬碟 *[SSH]: 安全殼層 -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: 軟體即服務 (雲端軟體) *[SoC]: 系統晶片 -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: 傳輸控制通訊協定 *[TEE]: 受信任執行環境 *[TLS]: 傳輸層安全性 diff --git a/includes/abbreviations.zh.txt b/includes/abbreviations.zh.txt index b4fc9fbe..3aef4ac2 100644 --- a/includes/abbreviations.zh.txt +++ b/includes/abbreviations.zh.txt @@ -2,42 +2,42 @@ *[ADB]: 安卓调试桥接器 *[AOSP]: 安卓开源项目 *[ATA]: 先进技术附件 -*[攻击面]: The total number of possible entry points for unauthorized access to a system. +*[攻击面]: The total number of possible entry points for unauthorized access to a system *[AVB]: 安卓验证启动 *[cgroups]: 控制组 *[CLI]: 命令行界面 *[CSV]: 逗号分隔值 *[CVE]: 常见漏洞和风险 -*[dark pattern]: A deceptive design pattern intended to trick a user into taking certain actions. -*[digital legacy]: A feature that allows you to give other people access to your data when you die. +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die *[DNSSEC]: 域名系统安全扩展 *[DNS]: 域名系统 *[DoH]: DNS over HTTPS *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS -*[DPI]: Deep Packet Inspection +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: 端到端加密 *[ECS]: EDNS 客户子网 *[EEA]: 欧洲经济区 -*[entropy]: A measurement of how unpredictable something is. +*[entropy]: A measurement of how unpredictable something is *[EOL]: 服务终止 *[Exif]: 可交换图片文件格式 *[FCM]: Firebase云消息 *[FDE]: 全盘加密 *[FIDO]: 快速在线身份认证 *[FS]: 前向保密 -*[fork]: A new software project created by copying an existing project and adding to it independently. +*[fork]: A new software project created by copying an existing project and adding to it independently *[GDPR]: 通用数据保护条例(欧盟) *[GPG]: GNU Privacy Guard (PGP 实现) *[GPS]: 全球定位系统 *[GUI]: 图形用户界面 *[GnuPG]: GNU Privacy Guard (PGP 实现) *[HDD]: 机械硬盘 -*[HOTP]: HMAC (Hash-based Message Authentication Code)-based One-Time Password +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password *[HTTPS]: 安全超文本传输协议 *[HTTP]: 超文本传输协议 -*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems. +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems *[ICCID]: 集成电路卡标识符 *[IMAP]: 互联网消息访问协议 *[IMEI]: 国际移动设备识别码 @@ -49,19 +49,22 @@ *[ISPs]: Internet Service Providers *[JNI]: Java Native Interface *[KYC]: Know Your Customer -*[LUKS]: Linux Unified Key Setup (full disk encryption) +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) *[MAC]: Media Access Control *[MDAG]: Microsoft Defender Application Guard *[MEID]: Mobile Equipment Identifier *[MFA]: 多因素认证 -*[NVMe]: Non-Volatile Memory Express -*[NAT]: Network Address Translation -*[NAT-PMP]: NAT (Network Address Translation) Port Mapping Protocol +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol *[NTP]: Network Time Protocol *[OCI]: Open Container Initiative *[OCSP]: Online Certificate Status Protocol *[OEM]: 原始设备制造商 *[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. *[OS]: 操作系统 *[OTP]: 一次性口令 *[OTPs]: 一次性口令 @@ -69,12 +72,12 @@ *[P2P]: 点对点传输 *[PAM]: Linux Pluggable Authentication Modules *[POP3]: Post Office Protocol 3 -*[PGP]: Pretty Good Privacy +*[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name -*[QUIC]: A network protocol that is based on UDP, but aims to combine the speed of UDP with the reliability of TCP. +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. -*[rolling release]: Updates which are released frequently rather than at set intervals. +*[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux *[SIM]: Subscriber Identity Module @@ -83,10 +86,12 @@ *[SNI]: Server Name Indication *[SSD]: Solid-State Drive *[SSH]: Secure Shell -*[SUID]: Set User Identity +*[SUID]: Set Owner User ID *[SaaS]: Software as a Service (cloud software) *[SoC]: System on Chip -*[SSO]: Single Sign-On +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. *[TCP]: Transmission Control Protocol *[TEE]: Trusted Execution Environment *[TLS]: Transport Layer Security